| 27 May 2022 |
 @grahamc:nixos.org | what's it for? | 13:42:06 |
 Mic92 (Old) | For a customer | 13:42:31 |
| @grahamc:nixos.org | unless you're running your own Vault plugins, I would recommend using HCP Vault | 13:42:50 |
| Mic92 (Old) | I might actually want this in future :) | 13:43:33 |
| @grahamc:nixos.org | (I'd never run a vault instance for a customer) | 13:43:39 |
| @grahamc:nixos.org | re cfssl for TLS: trust in public TLS infrastructure is well established as a thing I do in other areas of my threat model, so I didn't feel the need to do so for this one | 13:53:27 |
| @grahamc:nixos.org | * re cfssl for TLS: trust in public TLS infrastructure is well established as a thing I do in other areas of my threat model, so I didn't feel the need to run my own TLS CA for vault | 13:53:40 |
| Mic92 (Old) | My initial motivation was that I could than limit egress to only specific targets if I have not to rely on letsencrypt | 14:14:14 |
|  anthr76 left the room. | 14:37:40 |
| Mic92 (Old) | In reply to @grahamc:nixos.org
the vault agent caches some stuff but not everything Ok. What information does vault not cache? | 14:45:34 |
| @grahamc:nixos.org | I think some secrets are not cachable | 14:45:45 |
| @grahamc:nixos.org | but not sure | 14:45:47 |
| 28 May 2022 |
| Mic92 (Old) changed their display name from Mic92 to Mic92 (Old). | 10:26:54 |
| Mic92 joined the room. | 11:33:20 |
| Mic92 (Old) left the room. | 11:33:26 |
| 29 May 2022 |
|  nospaces joined the room. | 18:25:14 |
| 30 May 2022 |
|  Florian | W3F changed their display name from Florian | OoO -> 29.5. to Florian | W3F. | 09:04:49 |
| 31 May 2022 |
| Mic92 | Wow, reading this I get gnupg vibes: https://support.hashicorp.com/hc/en-us/articles/4407386653843-Vault-KV-V2-Secrets-Engine-Permission-Denied- | 16:35:35 |
| Mic92 | This is not well-designed. | 16:35:41 |
| Mic92 | I guess I should have read this here: https://www.vaultproject.io/docs/secrets/kv/kv-v2#acl-rules | 16:38:26 |
| 1 Jun 2022 |
|  underpantsgnome joined the room. | 09:07:10 |
| Mic92 | grahamc (he/him): are ec2 role tags supported (i.e. created with vault_aws_auth_backend_role_tag) supported by nixos-vault-service | 13:38:44 |
| Mic92 | ? | 13:38:45 |
| @grahamc:nixos.org | should be, any auth method that vault agent supports | 13:39:06 |
| Mic92 | what do you usually use? | 13:39:53 |
| Mic92 | I have multi-region deployment so those normal iam methods wouldn't work | 13:40:25 |
| Mic92 | Turns out I was also using vault_aws_auth_backend_role_tag wrong in terraform but it is also impossible to use because it creates dependency cycles between the ec2 instances I am trying to create. | 14:04:43 |
| Mic92 | It also seems that nixos-vault-service cannot be used with aws ec2 auth. Once there are two services that require a secret. The second instance cannot authenticate because of nonce missmatches | 15:07:52 |
| @grahamc:nixos.org | that is surprising, we use it for aws ec, auth | 16:59:24 |
| Mic92 | Check out this: https://github.com/DeterminateSystems/nixos-vault-service/issues/58 | 17:19:40 |
