Le site de KorbenEnvmap - Fini les fichiers .env qui traînent et finissent sur GitHub
https://fed.brid.gy/r/https://korben.info/envmap-secrets-sans-fichier-env-disque-github-leaks.html
Tremolo Security 
Static Kubernetes ServiceAccount tokens are a long-standing security risk.
This post walks through authenticating workloads to HashiCorp Vault using JWT/OIDC, exchanging pod identity for short-lived, least-privilege Vault tokens via a Kubernetes-aware STS—without relying on static credentials.
#Kubernetes #HashiCorpVault #OIDC #WorkloadIdentity #ZeroTrust
https://www.tremolo.io/post/short-lived-tokens-with-vault-without-the-static-serviceaccount
Short Lived Tokens With Vault Without The Static ServiceAccount
Learn how to securely authenticate Kubernetes workloads with HashiCorp Vault using short-lived tokens instead of static ServiceAccount credentials. This post explains why long-lived ServiceAccount tokens are a security risk and shows how to use JWT/OIDC-based authentication and a Kubernetes-aware STS to issue ephemeral Vault tokens, improving workload identity, least-privilege access, and secret security in Kubernetes..
DevTo VN BotHashicorp Vault sử dụng policy để kiểm soát truy cập chi tiết. Policy định nghĩa hành động (create, read, update, delete, sudo) cho các đường dẫn (có thể chứa wildcard). Có hai policy tích hợp: root (toàn quyền) và default (gắn tự động). Viết bằng HCL, policy áp dụng cho token để kiểm soát quyền hạn tại mount paths. Ví dụ: quản lý auth methods, secrets engine, tạo orphan token.
#HashicorpVault #VaultPolicies #AccessControl #DevOps #SecretsManagement
#KiemSoatTruyCap #QuanLyBiMat #ChinhSachVa
MichaelNew blog post: https://blog.mei-home.net/posts/k8s-migration-24-vault/
Migrating my baremetal Vault instance to k8s, including a general introduction to Vault itself and using Terraform to configure it.
Completely unrelated, is anyone interested in a couple of tons of Yak wool?
Did I miss a trend in JSON log formatting? HashiCorp's Vault seems to be of the opinion that all keys in their JSON logs should be prefixed by an "@"? As in:
{"@timestamp": "foobar", "@message": "baz"}
Very weird.
Martin TodorovHere's my latest article on Medium titled "Why You Need To Bake Security Into Your CI/CD Pipelines".
I hope you find it interesting! :)
#blackduck
#cicd
#cyberark
#dast
#devops
#devsecops
#github
#hashicorp #hashicorpvault
#iac
#mendio
#sast
#sca
#terraform
#vault
#vcs
deneOpenBao making good progress on replacing Vault, but has no UI. Check out how to use OpenTofu to create the most complicated OpenBao/Vault you’ve probably ever seen https://slush.ca/posts/buffet/ #openbao #opentofu #hashicorpvault
New all you can eat buffet in town, or how I learned to love Bao with Tofu
In the beginning, there was Hashicorp. In the early days of DevOps, Hashicorp wrote the tools everyone used to get work done. Vagrant let you have a local, tight loop of building local envs to run tests on. Packer let you build images as code to deploy to VMware, Docker, Hyper-V, and many more. Terraform was Infra-As-Code for all major cloud providers. Then along came services to deploy onto. Consul, Vault, Nomad.
ohmrunThe killer with #Strapi is getting a clean state for testing rigs.
For example there's no native rebuild database command (published), rather Strapi will notice there's no tables/db file and create it.
This meant not using the "webServer" config in #Playwright so that I'm not removing the database *after* the server has started.
I'm using #Babashka to manage setup/teardown logic, and there is a #HashicorpVault client available so I can squirrel away JWT tokens and such.
ronix 🏺Evaluated #HashiCorpVault quite a bit and documented my small setup. Vault is a secrets manger and pretty powerful. Added a #golang example: https://www.auxnet.de/en/blog/self-host-vault/ - hope people might find it interesting.
Self-Host Hashicorp Vault Secrets Server with Docker
Recently, I have been evaluating Hashicorp’s Vault Server and set it up on several machines in a simple setup. Since the instructions on the Internet are somewhat scattered, I document my approach in the hope that it may help others. Environment I will not be using Kubernetes or Docker Swarm (in both, you can solve it quite nicely with the appropriate placement of containers if you master the storage challenge). The reason we’re using separate Docker instances has historical reasons in the project.
Beth Pariseau"It's hard to see a good way out right now for [#HashiCorp]." Users and analysts react to reports the #cloudnative vendor is seeking a sale #Terraform #HashiCorpVault #OpenTofu https://www.techtarget.com/searchitoperations/news/366574475/HashiCorp-stock-rises-users-hearts-fall-on-sale-report
