Securely using secrets in a pipeline — HashiCorp Vault + JWT Auth

The typical way of communicating with the Vault service is adding the VAULT_TOKEN value as a constant in the environment, But is it a safe solution? Of course not! There is another way which is more reliable and secure. In this article, I’m just trying to explain the main concept and not dive into the details on each step because If you get the concept, after this, it’s up to you how to configure the auth method, put these pieces together, or how to make up your environment to use it.

But before getting involved with all aspects, Let’s see the high-level design of the flow:

Prerequisites:

• HashiCorp Vault (If you want to try and looking for a way other than installing on a local machine, I recommend registering in the HashiCorp cloud and receive 50$ free credits, And after that, creating your own Vault cluster EASY PEASY! 😋 )
• 🤔 Hmm… That’s that! xD

Let’s do this!

First of all, we need to set the root (!) token to theVAULT_TOKEN env value because we will use some root-level commands. As a best practice, use tokens with…