将VaultTemplate与用户名和密码一起使用

Question

I'm following a Spring Vault tutorial https://docs.spring.io/spring-vault/docs/current/reference/html/index.html and I have successfully connected the Java program with Vault through token access. In the picture below, tab number 1.

VaultTemplate vaultTemplate = new VaultTemplate(endpoint, new TokenAuthentication("MySecretToken"));

How do I instantiate the VaultTemplate using user name and password such as when we login through the Vault WebUI in this option (tab number 2)?:

I'm looking at this JavaDoc, but it's not obvious which one to pick: https://docs.spring.io/spring-vault/docs/current/api/index.html?overview-summary.html

So in another word: How do I connect with Vault, using spring-vault, using username+password instead of token? Or at the very least, I need a pointer on how to generate a token with username+password

Answer 1

As @h3rmanj indicated, Spring Vault does not support username/password authentication because this method is intended for human authentication, not machine-to-machine authentication.

Authentication depends on your threat model and how you can/want to address the exploitation of credentials in case of a breach. With username/password, you basically need to lock the user of a breached account. This is unfortunate as these accounts tend to be associated with people and you would lock out an operator.

If you use AppRole, you get two factors and you can segregate accounts by application type. Using tokens gives you the most flexibility if you do not reuse the token across multiple applications . Reuse is convenient but also if you encounter a breach, you have to take all applications offline that share the same token. So assigning individual tokens comes with the highest flexibility and the highest amount of operational overhead.

Anything in between is a compromise between a reaction to potential breaches and the amount of operational work.

HTH.