20240528

Tue May 28 06:00:01 EDT 2024 ======================================== Slept from ten to seven. Mostly cloudy. A chance of showers in the morning, then showers likely and a chance of thunderstorms in the afternoon. Highs in the upper 60s. West winds 10 to 15 mph with gusts up to 25 mph. Chance of rain 70 percent. # Work * 10:30 AM - 11:00 AM IIPA weekly sync with Tah * 11:30 AM - 12:00 PM Standards weekly check in * 01:00 PM - 01:30 PM CTO demand team sync * 02:00 PM - 03:00 PM DMND0001794 (FAM off Cognos) overview of Jasper Reports * 04:00 PM - 05:00 PM CTO all SA call # Home * [ ] exercise for ten minutes * [ ] rebuild personal VM (RHEL EOL June 2024) * [ ] car oil change * [ ] schedule dentist appointment * [ ] schedule optometrist appointment Read more of The Beautiful Thing. Took out trash. So, with a secrets manager, like Hashicorp Vault, how is trust first established? https://developer.hashicorp.com/vault/tutorials/app-integration/secure-introduction > There are three approaches to securely authenticate a secret consumer. > > * Platform Integration > * Trusted Orchestrator > * Vault Agent > > In the Platform Integration model, Vault trusts the underlying platform (e.g. AliCloud, AWS, Azure, GCP) which assigns a token or cryptographic identity (such as IAM token, signed JWT) to virtual machine, container, or serverless function. Vault uses the provided identifier to verify the identity of the client by interacting with the underlying platform. After the client identity is verified, Vault returns a token to the client that is bound to their identity and policies that grant access to secrets. > > In the Trusted Orchestrator model, you have an orchestrator which is already authenticated against Vault with privileged permissions. The orchestrator launches new applications and inject a mechanism they can use to authenticate (e.g. AppRole, PKI cert, token, etc) with Vault. For example, suppose Terraform is being used as a trusted orchestrator. This means Terraform already has a Vault token, with enough capabilities to generate new tokens or create new mechanisms to authenticate such as an AppRole. Terraform can provision a new AppRole credential, and SSH into the new machine to inject the credentials. Terraform is creating the new credential in Vault, and making that credential available to the new resource. In this way, Terraform is acting as a trusted orchestrator and extending trust to the new machine. The new machine, or application running on it, can use the injected credentials to authenticate against Vault. > > Vault Agent is a client daemon which automates the workflow of client login and token refresh. It can be used with either platform integration or trusted orchestrator approaches. So, "vault agent" doesn't seem to be a real third option ― it relies on one of the two earlier methods, right? Servings: grains 1/6, fruit 1/4, vegetables 0/4, dairy 1/2, meat 0/3, nuts 0/0.5 Brunch: pineapple, bagel with cream cheese Lunch: coffee Afternoon snack: Dinner:

< ^ txt