SE Hangout

Delivering Secret Zero: Vault AppRole with Terraform and Chef

When thinking about how to securely deliver secrets to our applications, we often run into chicken-and-egg scenarios where, in order to encrypt secrets, we create an unencrypted key to open up that encryption for regular use. Learn how Vault AppRole can help with this secure introduction problem.


There's now a HashiCorp Learn tutorial adapted from this webinar: AppRole With Terraform & Chef

Whenever a security group chooses to opt for the auto-unseal functionality of Vault instead of the default Shamir's secret sharing approach, you'll encounter the "secret-zero" problem. In order to authenticate safely, you'll need to use an HSM or cloud KMS for auto-unseal, but this means there's now a shared key to those systems stored outside the HSM or the Cloud KMS in a script that starts the auto-unseal process.

In this webinar, Teddy Sacilowski introduces how authentication in Vault works, gives an overview of the AppRole Auth Method, and explains how it integrates with Terraform and Chef. Finally, Teddy gives a demo of how this can be used to mitigate the secret-zero problem and wraps up by answering questions from the audience about Vault.

Watch to learn:

  • How authentication in Vault works
  • How Terraform can interact with Vault via its Vault Provider
  • How to interact with Vault in Chef recipes


  • 0:00 - 0:20 - Vault AppRole
  • 0:20 - 0:45 - Demo
  • 0:45 - 1:00 - Live Q&A

Additional resource:

GitHub repository

More resources like this one

  • 4/11/2024
  • FAQ

Introduction to HashiCorp Vault

Vault identity diagram
  • 12/28/2023
  • FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

  • 3/15/2023
  • Presentation

Advanced Terraform techniques

  • 3/14/2023
  • Article

5 best practices for secrets management