HashiCorp Certified: Vault Operations Professional 2022

Employ the Vault Security Model

Secure Introduction of Vault Clients

In this guide, we explore methods to securely introduce Vault clients, ensuring that your applications obtain secrets without exposing initial credentials. We’ll cover the concept of Secret Zero, security goals, and multiple introduction patterns using trusted platforms and orchestrators.

Secret Zero

Secret Zero is the initial secret an application needs to authenticate and retrieve further secrets. Examples from everyday tools include 1Password or LastPass, where a master password or biometric unlock grants access to stored credentials. In HashiCorp Vault, Secret Zero can be an auth method’s credentials or a Vault token.

Because Secret Zero unlocks access to dynamic secrets—database passwords, API keys, TLS certificates—it must be introduced at the last possible moment and never embedded in code or repositories.

The image explains "Secret Zero," which is the initial secret needed to access other secrets, using examples like 1Password or LastPass. It highlights the importance of securely introducing secret zero to prevent unauthorized access and privilege escalation.

Secure Introduction Goals

Use the following best practices to minimize risk when introducing Vault clients:

The image lists "Secure Introduction Goals" with seven points focused on credential management and security practices, alongside a Vault certification badge.

GoalBenefit
Unique credentials per instanceGranular revocation and auditing
Limit exposure of compromised credentialsReduces blast radius with short-lived credentials
No hard-coded credentialsPrevents accidental leaks in repositories
Reduce TTLs and use dynamic credentialsEnsures temporary access and automatic expiration
Runtime distribution onlyKeeps secrets out of code and build artifacts
Trusted platform identity verificationLeverages cloud or Kubernetes identities for auth
Trusted orchestrator for secret injectionAutomates secure provisioning in CI/CD and infrastructure

1. Unique Credentials per Instance

Assign each application instance its own credentials to enable individual revocation and precise auditing.

2. Limit Exposure of Compromised Credentials

Use short-lived credentials; if one is compromised, you can revoke its lease or token without impacting others.

3. No Hard-Coded Credentials

Authenticate at runtime instead of embedding secrets in code.

Warning

Never commit static credentials or SecretID values into version control.

4. Reduce TTLs and Use Dynamic Credentials

Favor dynamic credentials (e.g., database users, cloud provider tokens) with minimal TTLs to limit exposure.

5. Runtime Distribution Only

Inject secrets into applications only during startup or execution, never bake them into container images or binaries.

6. Trusted Platform Identity Verification

Leverage platform-specific identity sources for authentication:

  • AWS IAM
  • Azure MSI
  • GCP metadata server
  • Kubernetes ServiceAccount tokens

7. Trusted Orchestrator Injection

Use CI/CD tools or infrastructure-as-code platforms authenticated to Vault to generate and inject per-application secrets.


Secure Platform Authentication

Applications running on trusted platforms (AWS, Azure, GCP, Kubernetes) can authenticate to Vault using metadata services.

Authentication Flow

  1. Vault admin enables a platform auth method and defines a role.
  2. The application retrieves its instance identity (e.g., metadata service).
  3. It presents this identity data to Vault.
  4. Vault validates the data with the cloud provider.
  5. On success, Vault issues a short-lived token.

The image is a flowchart illustrating a secure platform process involving a vault admin, a trusted cloud platform, and an application server. It outlines steps for enabling authentication, obtaining and validating identity information, and returning a vault token.

The image illustrates a secure platform authentication process involving a trusted cloud platform, an application server, and a vault admin. It outlines steps for obtaining and validating identity information, authenticating, and returning a vault token.


Secure Orchestrator: CI/CD Pipeline

A CI/CD pipeline can act as a trusted orchestrator to generate and inject secrets at deployment time.

Pipeline Steps

  1. Vault admin creates an AppRole for the application.
  2. Developer retrieves the RoleID and bakes it into the application image.
  3. During deployment, the pipeline authenticates to Vault and requests a SecretID.
  4. The pipeline deploys the application and injects the SecretID at runtime.
  5. The application combines RoleID and SecretID to authenticate and retrieve secrets.

The image illustrates a secure CI/CD orchestration process involving a Vault Admin, Developer, Docker Image, and an application deployment pipeline, highlighting steps for role creation, authentication, and secret management.

Note

For stronger protection, enable response wrapping so that only the intended application can unwrap the SecretID.


Secure Orchestrator: Terraform

Use Terraform to provision infrastructure and request Vault credentials without storing secrets in code.

Provisioning Flow

  1. Terraform provisions new workloads.
  2. It requests an AppRole SecretID from Vault.
  3. Terraform injects the SecretID into the workload at deployment time.
  4. The application authenticates using its RoleID and the injected SecretID.

The image illustrates a process flow for a "Secure Orchestrator" using Terraform, showing steps for provisioning a new workload, generating a new AppRole Secret-ID, injecting the Secret-ID, and authenticating with AppRole credentials.

The SecretID is never stored in your Terraform code repository—only the provisioning logic is.


Vault Agent Auto-Auth

Vault Agent can manage authentication and token renewal for your application, reducing operational overhead.

Auto-Auth Steps

  1. Install Vault Agent on the application server.
  2. Configure the Auto-Auth stanza with your chosen auth method.
  3. Vault Agent authenticates to Vault and obtains a client token.
  4. The agent writes the client token to a local file.
  5. The application reads the token file for API requests to Vault.

The image illustrates the process of Vault Agent Auto Auth, showing steps for authenticating with Vault, returning and storing a client token, and requesting secrets from Vault on an application server.

Vault Agent ensures applications never handle raw credentials directly and transparently renews tokens as needed.


Watch Video

Watch video content

Previous
Section Overview Employ the Vault Security Model