Tremolo Security 2d ago

Static Kubernetes ServiceAccount tokens are a long-standing security risk.
This post walks through authenticating workloads to HashiCorp Vault using JWT/OIDC, exchanging pod identity for short-lived, least-privilege Vault tokens via a Kubernetes-aware STS—without relying on static credentials.

#Kubernetes #HashiCorpVault #OIDC #WorkloadIdentity #ZeroTrust
https://www.tremolo.io/post/short-lived-tokens-with-vault-without-the-static-serviceaccount

Short Lived Tokens With Vault Without The Static ServiceAccount

Learn how to securely authenticate Kubernetes workloads with HashiCorp Vault using short-lived tokens instead of static ServiceAccount credentials. This post explains why long-lived ServiceAccount tokens are a security risk and shows how to use JWT/OIDC-based authentication and a Kubernetes-aware STS to issue ephemeral Vault tokens, improving workload identity, least-privilege access, and secret security in Kubernetes..

DevTo VN BotJan 1

Hashicorp Vault sử dụng policy để kiểm soát truy cập chi tiết. Policy định nghĩa hành động (create, read, update, delete, sudo) cho các đường dẫn (có thể chứa wildcard). Có hai policy tích hợp: root (toàn quyền) và default (gắn tự động). Viết bằng HCL, policy áp dụng cho token để kiểm soát quyền hạn tại mount paths. Ví dụ: quản lý auth methods, secrets engine, tạo orphan token.

#HashicorpVault #VaultPolicies #AccessControl #DevOps #SecretsManagement
#KiemSoatTruyCap #QuanLyBiMat #ChinhSachVa

MichaelApr 7, 2025

New blog post: https://blog.mei-home.net/posts/k8s-migration-24-vault/

Migrating my baremetal Vault instance to k8s, including a general introduction to Vault itself and using Terraform to configure it.

Completely unrelated, is anyone interested in a couple of tons of Yak wool?

#HomeLab #Blog #HashiCorpVault

Nomad to k8s, Part 24: Migrating Vault to Kubernetes

Migrating my baremetal Vault to the Kubernetes cluster.

ln --help
MichaelMar 24, 2025

Did I miss a trend in JSON log formatting? HashiCorp's Vault seems to be of the opinion that all keys in their JSON logs should be prefixed by an "@"? As in:

{"@timestamp": "foobar", "@message": "baz"}

Very weird.

#HomeLab #HashiCorpVault

Martin TodorovFeb 24, 2025

Here's my latest article on Medium titled "Why You Need To Bake Security Into Your CI/CD Pipelines".

I hope you find it interesting! :)

#blackduck
#cicd
#cyberark
#dast
#devops
#devsecops
#github
#hashicorp #hashicorpvault
#iac
#mendio
#sast
#sca
#terraform
#vault
#vcs

https://medium.com/devops-by-nature/why-you-need-to-bake-security-into-your-ci-cd-pipelines-7c53a32d5c4d?sk=fe8f572583f8d49f192cf84644686db3

Why You Need To Bake Security Into Your CI/CD Pipelines

Continuous Integration and Continuous Deployment (CI/CD) pipelines have become an indispensable part of the software delivery process. These pipelines enable rapid iteration, automated testing, and…

DevOps By Nature
deneAug 25, 2024
OpenBao making good progress on replacing Vault, but has no UI. Check out how to use OpenTofu to create the most complicated OpenBao/Vault you’ve probably ever seen https://slush.ca/posts/buffet/ #openbao #opentofu #hashicorpvault
New all you can eat buffet in town, or how I learned to love Bao with Tofu

In the beginning, there was Hashicorp. In the early days of DevOps, Hashicorp wrote the tools everyone used to get work done. Vagrant let you have a local, tight loop of building local envs to run tests on. Packer let you build images as code to deploy to VMware, Docker, Hyper-V, and many more. Terraform was Infra-As-Code for all major cloud providers. Then along came services to deploy onto. Consul, Vault, Nomad.

hello friends electric
ohmrunJun 24, 2024

The killer with #Strapi is getting a clean state for testing rigs.

For example there's no native rebuild database command (published), rather Strapi will notice there's no tables/db file and create it.
This meant not using the "webServer" config in #Playwright so that I'm not removing the database *after* the server has started.

I'm using #Babashka to manage setup/teardown logic, and there is a #HashicorpVault client available so I can squirrel away JWT tokens and such.

ronix 🏺May 16, 2024
Evaluated #HashiCorpVault quite a bit and documented my small setup. Vault is a secrets manger and pretty powerful. Added a #golang example: https://www.auxnet.de/en/blog/self-host-vault/ - hope people might find it interesting.
Self-Host Hashicorp Vault Secrets Server with Docker

Recently, I have been evaluating Hashicorp’s Vault Server and set it up on several machines in a simple setup. Since the instructions on the Internet are somewhat scattered, I document my approach in the hope that it may help others. Environment I will not be using Kubernetes or Docker Swarm (in both, you can solve it quite nicely with the appropriate placement of containers if you master the storage challenge). The reason we’re using separate Docker instances has historical reasons in the project.

Beth PariseauMar 19, 2024
"It's hard to see a good way out right now for [#HashiCorp]." Users and analysts react to reports the #cloudnative vendor is seeking a sale #Terraform #HashiCorpVault #OpenTofu https://www.techtarget.com/searchitoperations/news/366574475/HashiCorp-stock-rises-users-hearts-fall-on-sale-report
HashiCorp stock rises, users' hearts fall on sale report

HashiCorp could be an enticing asset for a large IT vendor, but a sale wouldn't necessarily be great news for customers who value the neutrality of its cloud-native apps.

TechTarget
Danny Jan 3, 2024

Despite everything I #selfhost , I thought it was still a good idea to use #keybase to encrypt the unseal key for my #homelab #hashicorpvault instance.

Turns out their baked-in TLS cert expired on the 31st and rendered all installs defunct. Now I'm dependent on them to update and distribute a new client so that I can unlock my homelab #automation .

Lesson learned, #selfhosteverything