Hashicorp vault: Multiple Applications and Multiple service accounts - prevent another app from using different svc account

Question

I have a Vault deployment in my cluster that I use to store secrets. Additionally, I have created roles, policies, and a ServiceAccount. My applications will retrieve secrets from Vault using this service account. However, I am concerned that another application could use the service account meant for a different application. What measures can I take to prevent this from happening?

Say, I have assigned different policies to application A and application B, so I need a way to ensure that application B cannot use the ServiceAccount meant for application A.

This would depend heavily upon the chosen authentication engine. — Matthew Schuchard, Jun 16 '23 at 18:47
I have chosen k8s auth method. Is there something better that might help me? — Anirudh Ramesh, Jun 17 '23 at 15:36

score 5 · Accepted Answer · answered Jun 20 '23 at 06:06

Using the kubernetes auth method, this is how it works. You don't need to do anything else. Assuming you are using the default behavior of kubernetes where it creates a service account per app, you're good.

When an app logins to Vault using a ServiceAccount, it provides its token and authenticates for a specific role, e.g

curl \
    --request POST \
    --data '{"jwt": "<your service account jwt>", "role": "demo"}' \
    http://127.0.0.1:8200/v1/auth/kubernetes/login

The SA token is available only to your service. Kubernetes creates a SA for each app. It means AppA doesn't have the access for AppB ServiceAccount token (unless you explicitly specify that).

The way to integrate that with Vault is to config a named role with a bounded service account and namespace

vault write auth/kubernetes/role/demo \
    bound_service_account_names=myapp \
    bound_service_account_namespaces=default \
    policies=default \
    ttl=1h

The above role can be used to authenticate only for myapp from the default namespace. No other app can login using this role.

To address your question, you would need a different Vault role for each app, with different bounded service account and namespace.

Check out Vault documentation on kubernetes auth method for full example

(Editing) Thank you so much for the detailed answer. I have sort of done this already. My confusion, particularly is - what stops other app from using this service account. All apps are packages as Helm charts, and one person can simple give SVC-Account name as any account he wants. Is there any way to restrict this - apart from code review (i.e how can app authenticate itself before it can use a Svc account). — Anirudh Ramesh, Jun 20 '23 at 10:34
You need to govern who has access to deploy apps, and where (namespaces). You can check additional tools such as Kyverno to configure restricted policies - https://kyverno.io/policies/other/restrict-service-account/restrict-service-account/ — Chen A., Jun 20 '23 at 12:00
Thank you! That makes a lot of sense. Marking this as resolved (The comment helped a lot) — Anirudh Ramesh, Jun 20 '23 at 16:24

Hashicorp vault: Multiple Applications and Multiple service accounts - prevent another app from using different svc account

1 Answers1