vault | Roles & Permissions for the Laravel 5 Framework | Authorization library

Plese add id to you first action:

Although Vault offers convenient signature with Transit, the C# wrapper you are using does not support it.

Google KMS does offer signature, but its interface is more complex: you have to do the hash yourself and keep track of the key versions.

What I suggest is that you play a trick on your API wrapper:

• Leave your encryption and decryption code as-is
• Write to the the Transit backend as if it was a KV store version 1
• Get your signature by sending your payload as the input parameter

You still have to base64 your data before sending it to Vault, to avoid binary encoding issues.

So assuming that:

• You want to sign the text StackOverflow
• The transit back-end is mounted under transit
• Your signature key is named my-key

This should get you started:

The ECS integration with Secrets Manager happens at the time ECS is deploying your container. ECS will lookup those secrets, and inject them into the container as environment variables. ECS doesn't have any third-party secrets lookup support, it only supports AWS Secrets Manager and AWS Parameter Store.

Baking secrets into the images at build time seems very wrong. It would lock your images to a specific environment, and force you to create new images each time a secret changes. It also means your docker image now needs to be stored somewhere that is just as secure as your HashiCorp Vault server.

The recommended method for integrating HashiCorp Vault with AWS ECS is to add a sidecar container to your ECS task definition, that looks up the secrets in the Vault at task startup, and makes those secrets available to your other containers in the task. This is documented here.

However, in that official solution, they are using a shared EFS volume for some reason. That seems extremely wrong to me, as it means multiple instances of your ECS task would be stepping on each other writing to the same EFS volume, and there's no need for those secrets to be written to a persistent volume outside of the containers anyway. I would modify that solution to simply write the Vault secrets to a ephemeral volume shared between the containers in the ECS task.

Alternatively, just modify the startup script in your docker image, to first connect to your Vault to download the secrets and make them available in the container, before starting your application.

Well i dont know what the issue was but changing :

how do i access my connected services, without actually storing the credentials of accessing the azure key vault?

• Use Azure AD Managed Service Identity to access Key Vault from all environments without storing any credentials in the app.
• Managed Identity provides Azure services with an automatically managed identity in Azure Active Directory .
• It helps to authenticate to any service that supports AAD authentication without maintaining credentials in your code.
• It is a great feature from a security perspective because credentials are not accessible to you.
• Managed identities can be used without any additional cost.

Refer steps to read a secret stored in an Azure Key Vault instance and Use a managed identity to connect Key Vault to an Azure web app in .NET

how do i manage two key vaults within one solution (one for dev env and one for prod env)?

Refer managing key vaults in Development environment , Production environment and Production and Development environments

Please refer this for more information

The best solution would be to directly transfer the lamports inside of your program using a cross-program invocation, like this program: Cross-program invocation with unauthorized signer or writable account

Otherwise, from within your program, you can check the lamports on the AccountInfo passed, and make sure it's the proper number, similar to this example: https://solanacookbook.com/references/programs.html#transferring-lamports

The difference there is that you don't need to move the lamports.

This is currently not possible with the way the code is written unfortunately, according to https://github.com/dotnet/aspnetcore/issues/37680.

From security perspective you are violating principle of least privilege, giving read access to public that they don't need.

This could raise several risks:

• You or someone else maintaining the App Configuration might "forget" about public read access and put vulnerable data there
• An attacker might exploit a security bug in App Configuration itself and escalate read-only permission to read-write, which would not happen if they didn't have read-only access in the first place

You might think that probability of that happening is marginal (which is probably the case), but it is there and in security we always stay on the safe side - that's why we have the principle mentioned and it is indeed generally considered bad practice to violate it.

Finally, we always need to choose between usability and security, so in the end you might willfully agree to slightly less security if this makes your life easier and potential trouble from the risks does not scare you.

In case you would like not to expose the connection string you can think about:

• abstracting configuration fetching in a similar way you did for secrets, so that production app would use App Configuration while for local development you can use InMemory database
• replacing connection string with Terraform script so that you or any other developer can spin up and populate a dedicated App Configuration instance for local development purposes

Not sure how you have deployed the vault but if your injector is true