Storing VAULT_TOKEN as environment variable - security concern?

[mtcolman]

I've been looking into use Cosign with Hashicorp Vault to avoid generating & storing keys locally or as Kubernetes secrets. Whilst digging into this, I've become aware that I would need to store the token for Vault as an environment variable "VAULT_TOKEN", as detailed here.

From previous research and conversation with colleagues, it is my understanding that storing secrets in environment variables is not considered to be a secure practice, given that there are situations whereby logs and traces could include them, or they could be exposed via container inspection commands etc.

Kubernetes offers the alternative to mount secrets as permissioned files, so I was wondering of Cosign would be able to handle this? I've seen the Vault CLI (and Terraform) can use a token from ~/.vault-token as documented here.

Or perhaps my security concerns aren't valid - happy to hear why not if that's the case.

Thanks!

Matt

[znewman01]

From previous research and conversation with colleagues, it is my understanding that storing secrets in environment variables is not considered to be a secure practice, given that there are situations whereby logs and traces could include them, or they could be exposed via container inspection commands etc.

It's situation-dependent, but this is definitely sound advice in general.

I've seen the Vault CLI (and Terraform) can use a token from ~/.vault-token as documented here.

That's actually what Cosign does if VAULT_TOKEN is unset:

https://github.com/sigstore/sigstore/blob/6c7cc8d4d77676cd9f207cb3cfcdc054732d0dcb/pkg/signature/kms/hashivault/client.go#L114-L119

It's not documented super well, so we can leave this open to track docs.

Normally I'd be willing to create a VAULT_TOKEN_FILE env var but we're looking for maximum compliance with Vault itself here.

[mtcolman]

Ah, that's useful to know, thank you @znewman01. The documentation would definitely benefit from stating this, cheers.

[pschulten]

@znewman01 a lot of people use a token helper (https://developer.hashicorp.com/vault/docs/commands/token-helper), which currently isn't supported

Could you change the newHashivaultClient function like this:

	// Env variable VAULT_TOKEN takes precedence, similar to Vault CLI
	// if unset, fallback to ~/.vault-token or external token helper
	token := os.Getenv("VAULT_TOKEN")
	if token == "" {
		tokenHelper, err := config.DefaultTokenHelper()
		if err != nil {
			return nil, fmt.Errorf("error getting token helper: %s", err)
		}
		token, err = tokenHelper.Get()
		if err != nil {
			return nil, fmt.Errorf("error getting token: %s", err)
		}
	}

the sequence would be:
VAULT_TOKEN or vault token helper or $HOME/.vault_token

[znewman01]

That's a good idea! I didn't know about the helpers.