We have a bunch of Windows server applications that currently handle secrets as follows; our apps are in C#.
- We store them in settings files in code
- We store them encrypted, using a certificate
- The servers have this certificate with the private key, so they can decrypt the secret
We’re looking at implementing Hashicorp Vault. It seems easy enough to simply replace the encrypt-store-decrypt with storing the secret in Vault in the KV engine, and just grabbing it in our apps – that takes that certificate out of the picture entirely. Since we’re on-prem, I’ll need to figure out our auth method.
We have different services running on different machines, and it’s somewhat dynamic (not as much as an autoscaling scenario, but not permanent – so we can’t just assign servers to roles one time and depend on Kerberos auth).
I’m unsure how to make AppRole work in our scenario. We don’t have one of the example "trusted platforms" or "trusted entities", there’s no Nomad, Chef, Terraform, etc. We have Windows machines, in a domain, and we have a homegrown orchestrator that could be queried to say "This machine name runs these services", so maybe there’s something that can be done there?
Am I in "write your own auth plugin" territory, to speak to our homegrown orchestrator?
Edit – someone on Reddit suggested that this is a simple solution if our services are all 1-to-1 with the Windows service account they run under, because then we can just use kerb authentication. That’s not currently the way we’re architected, but we’ve got to solve this somehow, and that might do it nicely.