Why We Need Dynamic Secrets

Secret management can be a really infuriating problem. No matter what you do there never seems to be a good solution between dealing with employees who know passwords leaving, automated processes needing credentials and other business processes. It's one of the toughest problems I have ever seen without a good solution. At least not one that the business people will accept without complaining that it's too expensive or burdensome.

This is all cool, but... once you get to a setup like this (which has many moving parts and config rewriting), why isn't that solution compared to kerberos? You get the temporary credentials giving you similar possibilities.

This is a great first step on building the right kind of infrastructure to stop applications from exposing secrets. Leases on secrets with dynamic policy enforcement is, IMHO, the future of application security. Happy to see companies like Hashicorp discussing more of the vision on how Vault can be used to secure applications that we depend on for infrastructure.<p>I would caveat, however, that encryption is just one part of the tool in the toolbox. A correct security posture is about having layers of defense. The next layer is absolutely the application and isolating secret management responsibility from the app layer to the infrastructure layer is the right strategy, IMO.

I&#x27;m still stuck on &quot;Yeah, but I need a credential to authenticate with Vault to get the other credential that I want&quot;.<p>Very chicken and egg.

This is awesome. Somewhat reminds me of Short-Lived SSL Certificates (e.g., <a href="https:&#x2F;&#x2F;medium.facilelogin.com&#x2F;short-lived-certificates-netflix-fd5f3ae5bc9" rel="nofollow">https:&#x2F;&#x2F;medium.facilelogin.com&#x2F;short-lived-certificates-netf...</a>)

Vault has always appeared to me to be a great technology for a larger tech org looking to implement more granular access control and increased auditability.<p>At a smaller scale, we&#x27;ve been satisfied with encrypting secrets using KMS and then placing the resultant ciphertext into environment variables that we commit with our terraform scripts. Our system does not allow granular access control, but it is relatively simple to implement using a couple of Bash scripts and allows committing all of the config, including secrets, all at once so that deploys are fully reproducible.<p>To allow a bit more granularity in isolating different environments, we use different encryption keys depending on whether we have a dev&#x2F;uat&#x2F;prod deployment. We grant the target application role access to particular secrets based on which KMS keys it can use.<p>The other trick is that we decrypt all of the secrets in our environment at the entry point of our application code, so that the environment is fully decrypted by the time the service runs. This means there is no trace of secret management in our application code.<p>There are intermediate steps of this scheme where we could revoke access to KMS keys for some developers, so that we could allow users to deploy services but not necessarily be able to use and access the encrypted secrets.<p>Regardless, I always appreciate knowing these kinds of technologies exist because they seem to me to solve very challenging problems at scale.

So this is like authentication tokens that pretty much any developer who&#x27;s had to use a web API probably knows already ? It definitely is welcome in a more &quot;traditional&quot; setup.

IME, dynamic secrets don&#x27;t scale well. First, you&#x27;re going to have a tough challenge getting a large org to stop sharing secrets amongst apps&#x2F;hosts. Tougher still is providing a justification for why host1 for Salesforce needs a unique credential from host2 for Salesforce that is doing the same thing. Second, ensuring privilege creep doesn&#x27;t occur becomes nightmarish when you consider an environment today that has 500k secrets and having to audit the authorizations an ID was granted in multiple backend authentication systems after that ID has been deleted. Finally, generating dynamic ids for an environment like this is a staggering amount of compute workload. Taking that same 500k environment and breaking these out to unique credentials dynamically generated puts you into 7 figure numbers pretty quick. Even if we ignore the complexity of such an arrangement, just consider what the performance demands are going to be to generate an id, assign it privileges and a password, provide that to a client, then clean the same id up later. We&#x27;ll ignore how this looks in an environment where you have to replicate the identity that was created across multiple authenticating backends. (think Active Directory domain replication)<p>In short, I think dynamic secrets will increase the threat surface dramatically, while simultaneously increasing complexity. Complex systems are expensive to maintain, hard to secure and notoriously fragile. There is a limited scope use case where dynamic secrets may be a good fit, but I for one wouldn&#x27;t base a purchasing decision on whether or not my secret store can do dynamic secrets. Instead, I&#x27;d want a secret store that has some provision for secrets rotation that I can tailor to the needs of my specific use cases.

This sounds an awful lot like .. Kerberos?

Here&#x27;s what I see happen with Vault in actual real world usage. Applications use the token auth method with extremely long lived tokens, and then the auth tokens are stored in source or in config files or whatever. It just moves the problem and makes it look better because they aren&#x27;t called &quot;passwords&quot;

Funny how hashicorp promotes security products on one hand and fails to implement proper security in their remaining products on the other hand.<p>For instance: Vagrant Images&#x2F;boxes hosted by hashicorp (vagrantcloud) are neither signed nor is there any author information available (if not explicitly provided by the uploader).

How does an application (say, a RESTful API server) deal with dynamic secrets? I suppose it could be simply restarted when a secret changes (assuming it is requesting the secret from Vault at startup). Is that how it is typically handled?

My concern is how you can tell me whether a database user was created by Vault and not by a malicious actor with knowledge of Vault&#x27;s Dynamic Secrets method mimicking it.<p>How the heck can I know if it was a legit created database user or not?

How does this different from an SSO (single-sign-on server)?

&quot;Why you need to buy our product.&quot;