►
From YouTube: Vault Review & Discussion with Brad Downey
Description
Quick Chat on https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31831
B
We
were
saying
the
sake
about
recording,
so
the
biggest
thing
that
I
think
vault
integration
brings
is
that
separation
of
duties,
and
so
that's
a
lot
of
times.
This
is
the
conversation,
however,
the
customer
like
today
we
can
do
environmental
variables
and
I.
Don't
love
the
fact
that
you
can
reveal
them,
but
that's
totally
like
that's
a
very
minor
thing,
we're
looking.
B
A
B
They
get
the
latest
secrets.
It's
just
easy
for
them
to
consume
right
and
then,
ideally,
they
don't
have
any
access.
So
my
video,
the
one
might
I,
did
I
spent
more
time
on
the
vault
policy
than
probably
anything
else.
Trying
to
understand
that
of
like
how
do
I
get
it
where,
when
I
log
in
as
Brad
I
can't
see
the
secret,
but
maybe
I
can
update
it
or
maybe
I
can
create
a
new
version
of
it
or
something
like
that
where
I
had
some
interaction.
This
is
all
vault
policy
by
the
way.
B
So
my
my
initial
thoughts
are
one.
Can
we
create
a
separation
of
duties
right,
like
that's
a
business
objective
number
one?
How
does
a
security
team
be
able
to
manage
the
secret
get
just
the
amount
of
data
that
they
need
to
get
to
the
dev
team
and
the
dev
team
consumes
that
in
the
least
amount
of
configuration
possible
right
and
then
they
they
really
shouldn't
have
access
to
those
secrets
if
they're
being
consumed
via
pipeline,
there's
probably
ways
to
work
around
it,
but
that's
you
you're
gonna,
be
hard-pressed
to
avoid
that.
B
B
The
now
that
I
introduced
vault
I
created
like
way
more
steps
to
like
get
the
secrets
from
vault
load
it
into
runner
the
authentication
and
then
push
them
into
environmental
variables
and
so
I'd.
To
do
this
every
step
of
the
way
and
with
the
way
I've
got
my
project
set
up.
I
need
secrets
pretty
much
at
every
job,
so
like
I've
got
three
or
four
jobs
in
a
pipeline.
I
need
to
do
this
for
every
single
nut
job.
It's
not
just
the
final
like
deploy
to
production.
B
One
like
I
need
the
database
secret
for
this
final
deploy
right.
So
every
I'm,
taking
the
hit
of
logging
into
vault,
getting
the
secret
loading
into
environmental
variables.
My
tokens
expire
every
60
seconds,
so
I
need
something.
That'll,
Auto
renew
the
token,
so
I
can
continuously
get
that
that
secret,
maybe
I,
have
secret
a
in
the
very
beginning
of
the
job
at
secret
B.
B
So
I
found
a
couple
of
things
to
help
me
so
I
was
hesitant
to
use
just
random
code
off
of
github,
so
I
found
env
console,
which
is
a
small
tool
that
hash
ich
where
paths
and
they
have
it
for
it,
supports
both
vault
and
and
their
console
product,
so
console
being
their
key
value
thing
and
then
vault
just
being
the
secure
version
of
that
I.
Think
and
then
they
say
in
their
documentation.
B
Hay
vaults,
great
for
secrets,
but
if
you
need
to
get
them
into
environmental
variables,
use
this
tool,
and
so
that's
what
I
did
I
use,
D&B
console
to
say:
okay,
you're
going
I'm,
gonna
feed
you
a
config
file.
That'll,
have
all
the
information
about
how
to
authenticate
to
vault.
Then
your
job
is
to
consume
the
secrets
out
of
vault
load
them
into
environmental
variables
and
I'll.
Let
you
transform
them
because
they
might
be
in
a
different
format
in
vault
and
you
want
them
in
your
environmental
variable.
B
It
might
be
lowercase
DB
password
when
you
really
need
uppercase,
DB
underscore
password
or
something
right.
So
there
was
a
translation
mechanism,
all
these
things
and
then
that
loaded
into
my
rental
variables
it
handled
all
of
the
reactant
ocation
and
the
token
expiration,
and
all
that
and
then
I
was
able
to
execute
my
job.
But
there
was
a
lot
of
there
there
there's
there's
a
lot
of
I,
don't
see
drawbacks
to
it,
but
it's
kind
of
a
manual
hack,
great
yeah.
A
B
Read
I've
read
until
Camille's
idea,
one
an
idea
to
I
haven't
read
that
yet,
but
that's
where
that's
where
I'm,
that's,
where
I'm
getting
okay
and
then
my
question
would
be,
is
how
would
I
woods
best
for
a
feedback?
I'd,
probably
just
posted
in
this,
mr
is
usually
the
most
preferred
I
I'm,
just
bad
at
that
I.
A
That's
total,
that's
totally.
Okay,
I
would
say
it
would
be
helpful
to
get
your
perspective
in
this.
Mr
because,
again,
like
the
more
fine
details
like
I,
can
of
course
reiterate
to
Camille
that
yeah
I'd
be
great.
If
we
can
just
get
all
of
the
vault
secrets
as
environment
variables
inside
of
get
lab,
that
doesn't
really
give
us
the
like
the
tangible
yeah
yeah.
B
A
B
A
Think
what
I
did
here
from
your
from
your
narrative
there
is
that,
if
we're
able
to
abstract
the
manual
lifting
of
entering
in
token
reference
variables
into
get
lab
and
remove
that
step
completely
and
have
that
be
automated,
that
would
reduce
a
lot
of
this
back
and
forth.
You
were
having
to
do
between
fall,
UI
and
Gil
AB
you
I
yeah.
B
A
B
A
B
A
B
B
Runner
may
not
always
be
able
to
access
vault,
which
might
be
problematic
right
because
we
might
have
connectivity.
Issues
like
runner
is
out
in
a
cloud
VPC
somewhere
and
vault
exists,
centralized
in
maybe
an
on-prem
data
center,
okay,
that
might
be
problematic,
but
that
could
be
a
Reb,
we'll
figure
that
out.
Okay,
let
me
let
me
finish,
reading
and
look
through
those
those
elements
of
it
and
I
think
I
so
far,
I'm
liking
the
variables
syntax,
because
I
think
that's
kind
of
straightforward
and
it
creates
an
automatic
mapping
between
them.
B
A
A
Appreciate
it
I
will,
after
you're
done
decomposing
this,
so
I
would
love
to
have
another
coffee
chat
with
you
to
attract
your
separations
of
duties
issue
a
little
bit
more
yeah
I.
Have
this
other
work
stream
that
I'm
partnering
with
I'm
sure
you
probably
have
to
go,
but
the
second
issue
is
chatted
out
is
adding
a
role
to
give
a
very
distinct,
like
deployer
permission,
to
get
labs
that
doesn't
give
people
access
to
the
source
code
because.
B
You
got
interesting,
that's
that's
come
up
in
customer
conversations
too
and
I
think
without
reading
your
stuff
there,
as
your
DevOps,
makes
a
big
claim
around
that
they're
like
oh,
we
we
have
very
tight
controls
of
who's
allowed
to
do
deploys
and
things
like
that
and
I've
had
a
number
of
Microsoft
customers
who
have
come
back
to
me.
They're
like
so.
What's
your
story
around
this
exactly.