4

I have a Django app. I want it to get all needed secrets from Vault.
As I understood I need to use AppRole for this.

I created a role. But then I need to auth using hvac:

# App Role
client.auth_approle('MY_ROLE_ID', 'MY_SECRET_ID')

So I manually get role-id and secret-id, that's ok. The question is where do I store them?

  1. Can I store role-id simply in my git repo settings.py file?
  2. Where should I store secret-id?

UPD:

Actually secret-id has it's own TTL. So when I restart my app how to get a new secret-id?

Sergey
  • 19,487
  • 13
  • 44
  • 68

2 Answers2

2

You can generate secret-id with indefinite validity. But doing so will be as good as keeping your secrets in the configuration file.

If you are using AWS ec2 instances, then you can consider using AWS approles.

Take a look at this https://github.com/tmobile/t-vault.

Varad
  • 21
  • 1
0

In my case, since I deploy these application on a Kubernetes pods, I have stored the access key as an environment variable, and the secret key as a Kubernetes secret.

You can use the same convention, else if it's deployed on a VM, you can put these information in a yaml/json file (encrypted if feasible) and read them on startup or on each Vault invocation call.

service_access_key: MY_COOL_VAULT_APPROLE_ACCESS_KEY
service_secret_key: MY_SUPER_DUPER_VAULT_APPROLE_SECRET

Additional brownie information: Ideally, it's best practice to keep the TTL low, 30 minutes max - if your application is stateful, or maybe even less if it's a stateless application. The secret key of Vault approle should also be rotated every 90 days. Please note by default, Vault approle backend has 31 days of TTL, so if you want to set it to 90 days, you need to increase TTL of the approle backend as well.

rebelution
  • 389
  • 2
  • 13