Can't have permission to operate write/read action for Generic Secret Backend

[whuzxj]

If I use App Role Authentication Backend and Generic Secret Backend, how does vaultClient get the token to have the permission to operate write/read action? Why does Generic Secret Backend doesn't have AWSGenerateDynamicCredentialsAsync method to get the token?

[rajanadar]

thanks @whuzxj for using the library.

there are 2 questions here.

1. If I use App Role Authentication Backend and Generic Secret Backend, how does vaultClient get the token to have the permission to operate write/read action?

The App Role auth backend involves an Admin setting up 'Roles' with 'Token Policies', along with Secret Ids. When an application or service wants a token, they hit the /login endpoint of this Auth backend providing RoleId and SecretId, and get a Vault Token which has the policies on the role. This policy will have the necessary access for write/read etc. (on any secret backend, not just generic)

Please see https://www.vaultproject.io/api/auth/approle/index.html for more details.

2. Why does Generic Secret Backend doesn't have AWSGenerateDynamicCredentialsAsync method to get the token?

That is because it is like going to a "public storage place" and "asking for a train ticket". The public storage (generic backend) knows how to store your secrets in its storage rooms. Its purpose is to provide you with the space to store your items. It knows nothing about trains or train tickets.

Whereas the AWS Secret backend is like "the train station and the train ticket window" to be more specific. It knows how to get you a train ticket (AWS Credentials), because the system is connected in the background to trusted "Trains & Train Ticketing Systems" (AWS ecosystem) and can get you a "ticket" because it has the authority. (The AWS role you configured in the backend)

In short, every Auth or Secret backend has a purpose, and is a conduit to its backend system. They don't know much about each other, and they shouldn't.