Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement unixSocket as an option for communicating with Vault #972

Open
gg718 opened this issue Feb 19, 2024 · 0 comments
Open

Implement unixSocket as an option for communicating with Vault #972

gg718 opened this issue Feb 19, 2024 · 0 comments

Comments

@gg718
Copy link

gg718 commented Feb 19, 2024
edited
Loading

I'm currently running a Vault Proxy sidecar alongside Web3Signer to handle auth and forward requests to Vault.

Each key file looks something like this:

keyName: key
keyPath: /v1/secret/data/holesky/12345
keyType: BLS
serverHost: localhost
serverPort: 8200
timeout: 30000
tlsEnabled: false
token: unused_handled_by_vault_proxy
type: hashicorp

In order to improve security (and, to a minimal extent, performance), it would be great to be able to configure Vault Proxy to use unix sockets:

listener "unix" {
  address = "/var/run/vault.sock"
}

and then specify:

unixSocket: /var/run/vault.sock

Rather than:

serverHost: localhost
serverPort: 8200

As it stands, any user able to access that port (e.g. via kubectl port-forward) can easily make authenticated requests to Vault via port 8200. Being able to send requests via a unix socket would improve the situation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gg718