Hello. I am currently dabbling in nornir more with netbox. In previous times I have hard coded a file and read passwords from them.
You read this is bad practice, and I do agree. Use a vault I hear, so I do. But what I'm doing now, I must be doing wrong, or not understanding the benefits or workflow to make this any more secure. (script isn't complete transform set wise yet, but it doesn't look too difficult)
I'm hardcoding a script with a separate set of credentials that gets a token from hashivault that is renewed in a cron task now and again, and tied to access from my devices IP. This is stored and will be used in a transform set with netbox inventory to get the login details for devices from my vault.
For most devices we have ISE doing AAA.
I feel like I haven't solved any problems. I've just added more complexity. I already have a service account in ISE that we use. I'm obviously not understanding the workflow here that would be advised to make this actually more secure, or not have our infosec team say "OI that's a password in plain text". I can move to certs for auth to get rid of the passwords, but it still doesn't feel right in my mind.
How are people using a vault in a simple workflow for networking? I don't need the scripts etc, I think I just need to understand the right way to do this.
No comments:
Post a Comment