Re: Vault or AWS/IAM

[Toomas Kristin <toomas.kristin@xxxxxxxxx>]

Hi,

Yes, at case of IAM there is vendor lock and IAM won’t work for multi-cloud infra and those are very strong arguments for Vault. However thing that makes me concern about Vault is that the application is going to behave as DBA - it has root access for database that creates and drops users, grants and revokes accesses. Due to root credentials are stored inside of Vault than those can be easily compromised because of a mistake in configuration or a bug in application. And process list doesn’t provide any understanding who is the person/application who executed the query. Or am I over-concerning here?

BR,

Toomas

On 8. Apr 2020, at 00:33, Prince Pathria <prince.pathria@xxxxxxxxxxx> wrote:

I would suggest going for Vault/Secrets manager.
Using IAM can lock you to use only RDS. 
For a case where you're using hybrid/multi-cloud infrastructure, IAM won't fit in.
Or if you're completely on AWS, there have been cases where organisations jump back to Postgres on EC2 from RDS for costs and performance reason. At least no change of code is required in case of Vault/Secrets manager. 

Using secrets manager over vault also has some advantages, like managing 1 or maybe 2(in case you're using some unmanaged service as vault backend) less components in your infrastructure. But again secrets manager isn't a good option if you're using multi-cloud/hybrid infrastructure.

Happy to help :)

Prince Pathria Systems Engineer Evive +91 9478670472 goevive.com

On Tue, Apr 7, 2020 at 12:13 PM Toomas Kristin <toomas.kristin@xxxxxxxxx> wrote:

Hi,

I hope you all are well. Basically I am considering to implement a centralised authentication solution for AWS/RDS/PostgreSQL. Last two options on table are Vault and IAM. Have you made any similar decision and can you share your experience?

BR,
Toomas