secrets | Openstorage support for Key Management Systems | Key Value Database library

You have a typo (fix "n" to "nn"): ConectionStrings should be ConnectionStrings.

You can remove the old one and create a new one with these commands:

Ok, this should work. Remove the last line - run: git push from your action. Then add the following.

Posting this community wiki answer to give more visibility on the comment that was made at a github issue that addressed this question:

Lens will create nsenter pod to the selected node

This question asked the same thing.

What you want to use here are not env variables but outputs.

You can specify a set of outputs that you want to pass to subsequent jobs and then access those values from your needs context.

See documentation:

If you want to inject the vault secret into the deployment pod what you can do

There is one great project on Github Vault-CRD in java: https://github.com/DaspawnW/vault-crd

Vault CRD for sharing Vault Secrets with Kubernetes. It injects & sync values from Vault to Kubernetes secret. You can use these secrets as environment variables inside pod.

the flow goes something like : vault to Kubernetes secret > and that secrets get injected into deployment using YAML same as configmap

apart from this there is also another nice method of sidecar pattern.

for that, there is a very nice tutorial: https://github.com/hashicorp/hands-on-with-vault-on-kubernetes

another one : https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar

Assuming you have put the country codes into the custom fields exactly as they would display in the settings, the following should do the trick:

Is it the local path to the certificate that is downloaded as CER/PEM format from Azure Key Vault ?

"clientCertificatePath is the path to a file which contains both the client certificate and private key." It always is the local path, but if you store it to OneDrive the path will format like "C:\Users\myuser\OneDrive - Microsoft\Documents\Certs".

if I am operating in private cloud, does it really matter (client secret / client certificate)?

In short, certificate is more secure than secret but it's complex to use. Which one you choose depends on your requirement. In my opinion, client secret can protect the Azure Key Vault when updating secret every few months.

There are the pros and cons of client secret and client certificate:

Client secret:

Pro: Easy to deploy - just takes some code and a secure data store. Depending on the security policy, can autogenerate passwords or force new users to create them.

Pro: Easy to administrate - password resets can (for some security policies) be done with automated tools

Con: For good security, passwords should be reset early and often. User's forgetting or failing to change passwords is either a security risk or a usability hassle.

Con: Good passwords can be hard to remember, which leads to the issues of users reusing passwords or writing them down.

Con: Password data stores are a weak point - if an intruder gets the password store, he gets the motherload.

Con: All parts of password transmission can lead to exposure - websites that store passwords locally for ease of use, internal server components that transmit in the clear, log files in COTS products that store passwords in the clear. With the secret being part of the transmission, you're only as strong as your weakest link - it takes serious effort to prevent exposure and the requirement is on both the user and the system developer.

Certificates:

Pro: Doesn't require the transmission of the secret. Proof of private key contains no secret information - mitigates all sorts of storage/transmission weak points.

Pro: Issued by a trusted party (the CA) which allows for a centralized management system for status across multiple applications. If a cert goes bad, it can get revoked. Fixing a password breakin must be done separately for each system unless a shared ID is used.

Pro: Non-repudiation case is stronger - in most password systems, the way the user is initially authenticated prior to account creation is pretty weak and the password reset mechanisms can offer another factor of plausible deniability. With many forms of certificate issuance, it's far harder for a user to say it wasn't them. Caveat - you're still only as good as your CA's issuance policies.

Pro: Serves more purposes than just authentication - can provide integrity and confidentiality as well.

Con: Still requires a password/pin - almost any private key pair storage mechanism is then unlocked with a PIN. SmartCards can have tamper protection and lockout capabilities to prevent brute force, but that doesn't fix the fact the user wrote his PIN on a sticky note next to the computer where the card is docked. Sometimes password issues reappear on a smaller scale with PKI.

Con: Complexity of infrastructure - setting up a PKI is no easy task and generally so expensive in both deployment and maintenance that it can only be used for large/expensive systems.

Con: Certificate Status reporting and updates are not easy - revoking a user credential that has become corrupted is onerous due to the size and complexity of the infrastructure. Usually, a CA generates a CRL that may or may not be provisioned within an OCSP server. Then every application should check every login for the CRL or OCSP status. This introduces a variety of time delays into the system between the time a PKI credential is reported as compromised and the time when the systems that rely on that credential actually start denying access. The speed of status update can be accelerated - but at a greater system complexity cost.

Your code on your EB instance uses instance role to provide it with AWS credentials. When you do this, x-amz-security-token is used which is a regular part of AWS credentails when you use IAM roles.

In contrast, when you run it locally, you use IAM user for AWS credentials. In that case, token is not used.