|
|
|
|
|
|
by borplk
3845 days ago
|
|
|
Someone correct me if I'm wrong but Vault on its own (without an agent) would be quite difficult to use in a simple web application setup, no? For example let's say I store an API token in Vault and want to use that in my Node.js application. That means I can't do "var api_token = MY_API_TOKEN;" because the secret needs to come from vault and get refreshed, etc... I'd imagine you will need some agent to manage the secret lease/expiry and for that to reload your entire application to ensure you don't end up with old secrets hanging around in the memory. This topic is not addressed anywhere in the Vault documentation, I looked everywhere I could. |
|
|
As for how you can more easily use it, we recommend [the now weirdly named] consul-template or envconsul. The former (https://github.com/hashicorp/consul-template) will put secrets automatically into files and watch for changes, update the file, and refresh the process. If you put the files onto a non-swappable ramdisk, then it is reasonably secure (relative to most things, less secure than deeply integrating with Vault).
Envconsul, on the other hand, injects secrets as environment variables to a process. This is also reasonably secure but users have to be aware of the various ways that env vars can be read out of process (/proc for example).
These are the two easiest ways to get started that allow Vault to be used with brownfield software. If you greenfield something, integrating Vault 1st class is the way to go for the most security and is what we're seeing bigger users go for.