[infamousjoeg]

My concern is how you can tell me whether a database user was created by Vault and not by a malicious actor with knowledge of Vault's Dynamic Secrets method mimicking it.

How the heck can I know if it was a legit created database user or not?

[armon]

When Vault connects to the endpoint system to create a dynamic user, it presents a set of credentials only known to it. You have to authorize Vault to create dynamic users, so a malicious actor would need to somehow obtain a similar level of privilege.

Vault typically prefixes something to the username as well (e.g. "vault-...") and also audits the creation of dynamic users so you can either look for the prefix or cross check the audit logs.

[FLUX-YOU]

I assume you can check Vault's audit logs and see if the user was created there or not.

[whip113]

I have 500k ids today. Now you want me to make those ids dynamic and correlate how much Splunk data with Vault audit data? And what is my pattern matching regex going to look like when the ids I'm trying to match on are randomly generated? And how do I pick out anomalous behavior from the noise I just intentionally created because Terraform can't stop leaking my secrets? And what about the performance? How does Vault scale to generate that many identities? And how do I audit my authorizations since on Vault I'd just see what groups the IDs were added to but not the groups those groups belonged to? What about replicating my authentication backends? Active Directory replication takes minutes to replicate a password in some environments, it's going to take longer to replicate a new identity and its group memberships. And while I can revoke an identity after some time, that doesn't mean existing authenticated sessions are terminated, it just means subsequent authentication with the same secret will fail.

[FLUX-YOU]

Maybe this feature isn't a good fit for your organization?

But based on what you've just asked, I'd definitely never create anything like what you're working with because it sounds like ANY addition to your infrastructure is problematic.

[infamousjoeg]

THIS! EVERYTHING THIS!

[mjlee]

Or if you want to automate it, you could use the Vault API to see which tokens have been created.

[Flenser]

> Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires

So whatever is accepting the secret must be checking with Vault to verify the secret.