undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointstompic8235y ago0 comments

Great point about dynamic secrets. This is an area we currently don't address, but it is definitely on our roadmap. There is a segment of the market for which dynamic secrets are an absolute requirement and we fully acknowledge that.

0 comments

5 comments · 2 top-level

shay_ker5y ago· 3 in thread

Just out of curiosity - what do people use dynamic secrets for? What is a "dynamic" secret anyway?

gen2205y ago

At our company, we use vault to generate and cycle short-lived database credentials and tls certs. Our RPC services use the certs to encrypt their traffic amongst each other, and also to enforce RBAC (since the certs are traceable, via vault, to a service or individual's identity).

"Dynamic" secrets imply that rotation is automated and frequent, and that there are no "blessed" certs, but rather that all certs/keys are generated in exchange for a successful identity assertion.

For example, if I can prove that I am LDAP user gen220, who belongs to group db-x-developer, I have earned the right to request a credential for connecting to db-x, which expires some arbitrary time before my identity-assertion expires.

quaffapint5y ago

A simple example that we use them for is for dynamic database credentials. So you no longer define a static username/password. You request the access/credentials from vault as you need them.

how does that actually work? Vault has the user/password, and then acts as a gateway to the db?

quinndiggity5y ago

I guess dynamic secrets are too "ftp" for Doppler, eh?

You lost the entire audience who have actually used Vault before when you claimed it was too complex for your team to understand.. Why would I trust a company staffed with a crew that can't even understand the tools they are trying to compete with

j / k navigate · click thread line to collapse