Store tokens in MySQL or use Vault (HashiCorp)?

There are couple of ways to do this, depending on if the webserver really needs read/write access to the oauth tokens.

I've been using Vault for a while now, and I think this would be the way to go. You can use something like the approle auth backend (vault auth-enable approle) to let your servers write the tokens based on different policies (so they are limited to only writing those tokens).

Since the webserver can only write, you need something that can read the oauth data, and I suggest you have a some queue tool here, with workers that can read and processes whatever you need to do, and preferably not on the webserver (so that read/write access is split on different machines). The worker could use a read/write or read only app-role.

Which secret backend you use for your data storage (consul/file/DB) doesn't matter. Choose what you are comfortable with (I like consul since it's resilient and not depending on mysql or other DB replication), but whatever you choose, vault will ensure that the data is encrypted before it's written.

If the webserver is hacked, well, then it could cannot read the tokens, so the data should be pretty safe (as long as you protect machine/vault/worker communication).

Solved by user162809 (126 )
Nov 01, 2017 at 08:31