Why You Should Be Using Ephemeral Credentials

In this post, we explore ephemeral credentials in Hashicorp Vault. And, we run through what implementation looks like.

Keeping critical information protected should be at the heart of everything you do as a developer (beyond making sure the thing you’re developing actually works, of course).

For many businesses, this means ensuring that your application or product is secure on all fronts. Secure connections. Secure platforms. And, perhaps most importantly, secure secrets.

When we talk about secrets, we’re not talking about the time you stole a piece of gum from the corner store when you were four or that time your brother snuck out of the house.

We’re talking about bigger things than that. Important things.

So… what do you mean by secrets?

Secrets are sensitive data that live within your system that require credentials to access. They can be anything from usernames and passwords to SSH keys and just about everything in between. It’s all the critical information that you don’t just want to keep safe, you need to keep it safe in order to keep your business safe.

The standard approach for accessing secrets is providing credentials through persistent authorization. This works by first verifying your identity (we’ll get into identities in more detail below), usually through some kind of single sign-on.

Issuing credentials this way has been a “good enough” solution over the years, but it has its downsides.

The biggest downside is a problem that plagues a lot of legacy setups like this — as soon as the person who designed it leaves the company; it can be nearly impossible to figure out how everything was set up. Everyone has their own preferred method of issuing credentials, and everyone has their own take on how they set things up. Beyond that, if you have to comply with regulations like PCI DSS, you have to work credential cleanup and rotation into your process, and it adds a lot of time (even if you’re using a credential management system).

As frustrating as all of that can be, there’s a way to manage credentials that isn’t time-consuming and doesn’t create a nigh-impossible challenge for anyone taking over your job: ephemeral credentials.

I think, therefore, I am — let’s talk identity.

It’s worth bringing up identities here, as they are a crucial part of the credential issuing process. In this instance, as we’re talking about identity, we mean who you are from a user perspective. And, from a user perspective, you could be one of two things: A human, or a machine, service, application, or service account (which are all essentially the same thing).

What this means is that you could either be a person trying to access something, or you could be another service accessing it on behalf of a person (think APIs linking services together).

Once your identity has been verified, the question becomes: is this person authorized to access this credential? The token you are issued at this stage determines the level of access you have. This is important because it helps you limit what any individual user has access to. You’re not going to give someone the key to the safety deposit box just because you asked them to water your plants. You should be taking the same precautions with secrets.

Sometimes identity information can be derived from the environment an application is running in. For example, applications running in AWS can use the built-in metadata server. Similarly, applications running in Kubernetes can use built-in service accounts.

What are ephemeral credentials?

Ephemeral credentials are dynamically generated credentials that are created at the moment they’re needed, then discarded afterward. Like persistent credentials, ephemeral credentials provide you with the token you need to gain access. The difference is, with ephemeral credentials, the token eventually expires, and you need to go through the authentication process again. Ephemeral credentials are typically gone once they expire; there is no way to refresh the credential like you can with short-lived or long-lived credentials.

The difference here between ephemeral and both short-and-long-lived credentials is worth mentioning.

  • Short-lived credentials, like ephemeral credentials, are temporary. But, the big difference here is that they can be refreshed. An example of this would be a cookie (which isn’t a short-lived credential, per se. It’s more of a storage mechanism for the credential). After you log in to a website (or an app), the cookie holds the token that grants you access. After a while, the cookie expires, and you have to log in again.
  • Long-lived credentials aren’t temporary. They are things like usernames, passwords, or API keys that don’t typically expire.

Ephemeral credentials eliminate a lot of the headaches that come with persistent access by making you think about all the complicated stuff upfront.

You’re no longer forced to deal with issues around transfer of ownership, teams changing or moving off a project entirely, or even worrying about employee turnover because their credentials don’t linger in the system. They hang around for a few hours, and then they’re gone.

More than that, though, ephemeral credentials move you away from bad habits around access and security. Whether or not we admit it, everyone has a few bad habits or even workarounds that they use that can compromise the integrity of a system.

By bad habits and workarounds, we’re talking about things like:

  • Hardcoded credentials where credentials are embedded as plain text into the source code. These create a huge security risk, as anyone with access to the code would essentially have access to the production environment it's running in. The implication, when you store credentials this way, is that they’re long-lived. Bad actors know that if they find them, there’s a very good chance they’re still valid.
  • Bypassing persistent access solutions completely and creating your own untracked and unmanaged SSH keys.
  • Sharing credentials, which can lead to anybody gaining legitimate access to your system without your knowledge.

These things aren’t necessarily bad on their own, but every bad habit or workaround leaves your secrets at risk, which opens up your entire system to attacks.

One of the ways that ephemeral credentials help is by making good practices easy. Using credentials that expire quickly means you don’t have to struggle to remember passwords, and no one is going to try and bypass anything because they don’t have to. Not only that, but ephemeral credentials can potentially limit what a bad actor can do if they get into your system because the credentials expire after a set period of time.

Why do we love Hashicorp Vault for ephemeral credentials?

At Liatrio, we’re huge fans of using Hashicorp Vault for creating ephemeral credentials.

Not only does Vault provide a secure, encrypted area to store secrets, but its secrets engine can generate dynamic database credentials based on configured roles. Vault makes it easy to create ephemeral credentials for many types of systems, such as SQL.

What makes Vault so ideal for ephemeral credentials is that it’s both adaptable and has existing integrations with many other tools that you’re probably already using. And, beyond that, it does everything. There are other vendors out there that offer similar features, but none of them offer all within the same suite. To get the protection that Vault brings to the table, you’d have to work with multiple services, which adds an unnecessary complexity layer.

How to get started with ephemeral credentials?

In order to kick-start your journey, we’ve put together a small lab using some of our favorite tools to deploy and manage Hashicorp Vault on Kubernetes.

https://github.com/liatrio/blog-vault-mongodb-dynamic-credentials

Once the infrastructure and application are running locally, you can use some of the helpful commands described in the README to begin experimenting using the provided example application. Give it a try and let us know what you think!

Want to know more?

This covers just one way you can incorporate Hashicorp Vault in your systems. Keeping your secrets secure through ephemeral credentials can greatly reduce the likelihood of not only bad actors getting into your system, but of the amount of work you need to do when managing credentials.

At Liatrio we’re all about helping people create better systems and transform their organizations. If you want to know about providing better protection for your secrets reach out and ask how we can help.

Have a question or comment?

Contact uS
The Liatrio logo mark.
The Liatrio logo mark.

About Liatrio

Liatrio is a collaborative, end-to-end Enterprise Delivery Acceleration consulting firm that helps enterprises transform the way they work. We work as boots-on-the-ground change agents, helping our clients improve their development practices, react more quickly to market shifts, and get better at delivering value from conception to deployment.