search

natearn / 12-factor-docker-example

Building a multi-service application backwards from the 12 factor app guidelines.
0 stars 0 forks source link

Use Vault to supply authorization credentials #5

Open natearn opened 4 years ago

natearn commented 4 years ago

Each services should be secured, demanding some form of authorization in order to interact with it. In order to obtain that authorization at runtime, in a secure way, services will use hashicorp Vault. The service should exchange an authentication credential (which will be provided through the config) with the secrets service for an authorization credential for a specific service.

The scope and nature of the granted authorization are to be determined. At this time, I am not certain of the expectations or limitations of vault. This secrets solution should be easily replaced, in case the deployment environment offers an integrated solution, but the general authorization pattern should still be followed:

TODO:

  1. Set up the Vault dev server in the dev environment (docker-compose) as the secrets.
  2. Configure the Vault dev server to provide a database username and password.
  3. Update the api and database services to connect using the credentials provided by the secrets service.
  4. Configure the Vault dev server to protect the database credentials with an authentication mechanism.
  5. Configure the api service to authenticate with the secrets service to facilitate the database connection.
natearn commented 4 years ago

https://www.vaultproject.io/docs/concepts/dev-server