A DevOps team wants to authenticate to Vault using short-lived tokens without storing a secret in their CI/CD pipeline. Which authentication method best meets this requirement?
Trap 1: AWS IAM
AWS IAM is tied to AWS, not suitable for generic CI/CD.
Trap 2: AppRole
AppRole requires storing RoleID and SecretID, which are static secrets.
Trap 3: Username & Password
Username & Password requires storing credentials.
- A
JWT/OIDC
Correct: JWT/OIDC allows token exchange without storing static secrets.
- B
AWS IAM
Why wrong: AWS IAM is tied to AWS, not suitable for generic CI/CD.
- C
AppRole
Why wrong: AppRole requires storing RoleID and SecretID, which are static secrets.
- D
Username & Password
Why wrong: Username & Password requires storing credentials.