This article demonstrates how the Vault LDAP secret engine's Service Check-In/Check-Out feature works under the hood.
Introduction:
Service account check-out provides a library of service accounts that can be checked out by a person or by machines. Vault will automatically rotate the password once a service account is checked in. Service accounts can be voluntarily checked in, or Vault will check them in when their lending period (or, "ttl", in Vault's language) ends.
The service accounts check-out functionality works with various schemas, including OpenLDAP, Active Directory, and RACF.
What happens underneath:
- When an object is created at LDAP, it needs to be created with a password (being the mandatory filed), hence once the first check-out is issued from Vault, the same/existing password is presented to the person/machine issuing the very first check-out.
- Vault copies the password from the LDAP database and stores the same password in its database upfront during the time of the "ldap/library" configuration.
- When a person/machine issues the very first check-out, the password from the Vault database is presented. It's not brought from the LDAP database at that moment.
- When the person/machine executes the check-in, Vault rotates the password at LDAP's end and then copies the new password string into its database which will be presented when the next check-out is issued.
- Please note that the lease created when the very first check-out was issued remains in the system even though you've issued the check-in beforehand.
- That lease has a say in rotating the service account's password as it recognizes that the lending period has ended.
- Hence under the hood, the password rotates twice as to when the check-in was issued and when the lease expired.
- The best practice in case the mapping of the service account is one account per person/machine is to keep the TTL as per your work need (the probable duration of the time you need the service account for) and let the Vault rotate the password automatically when the lending period (or, "ttl", in Vault's language) ends, there is no need to check-in.
- Although you can check in, there is no stopping that, but make sure that the next check-out is issued once the lease of the previous check-out has expired. Otherwise, there will be a password rotation due to the lease generated during the previous check-out, and you may end up either losing access to the system you access via that service account or may end up seeing the password incorrect errors.
- You can also add multiple service accounts to a single library created on Vault's end, and distribute them to distinct people/machines to consume.