open-vault/website/source/guides/identity/secure-intro.html.md

---
layout: "guides"
page_title: "Secure Introduction of Vault Clients - Guides"
sidebar_current: "guides-identity-secure-intro"
description: |-
  This introductory guide walk through the mechanism of Vault clients to
  authenticate with Vault. There are two approaches at a high-level: platform
  integration, and trusted orchestrator.
---

# Secure Introduction of Vault Clients

A _secret_ is something that will elevate the risk if exposed to unauthorized
entities and results in undesired consequences (e.g. unauthorized data access);
therefore, only the ***trusted entities*** should have an access to your
secrets.

If you can securely get the first secret from an originator to a consumer,
all subsequent secrets transmitted between this originator and consumer can be
authenticated with the trust established by the successful distribution and user
of that first secret.  

![Secure Introduction](/assets/images/vault-secure-intro-1.png)

The Vault authentication process verifies the secret consumer's identity and
then generate a **token** to associate with that identity.
[Tokens](/docs/concepts/tokens.html) are the core method for authentication
within Vault which means that the secret consumer must first acquire a valid
token.


## Challenge

How does a secret consumer (an application or machine) prove that it is the
legitimate recipient for a secret so that it can acquire a token?

How can you avoid persisting raw token values during our secure
introduction?  

## Secure Introduction Approach

Vault's auth methods perform authentication of its client and assigning a set of
policies which defines the permitted operations for the client.

![Auth Method](/assets/images/vault-auth-method.png)

There are two basic patterns to securely authenticate a secret consumer:
[platform integration](#platform-integration) and [trusted
orchestrator](#trusted-orchestrator).  


### Platform Integration

In the **Platform Integration** model, Vault trusts the underlying platform
(e.g. AWS, Azure, GCP) which assigns an identifier to its cloud resources (e.g.
an IAM token, instance ID, JWT). The Vault client (secret consumer)
authenticates with Vault using its platform provided identifier. Once its
identity was successfully validated against the platform, Vault returns an
initial token to the client with a set of configured policies attached.

![Platform Integration](/assets/images/vault-secure-intro-2.png)

**Use Case**

When the client app is running on a VM hosted on a supported cloud platform, you
can leverage the corresponding auth method to authenticate with Vault.

**Reference Materials:**

- [AWS Auth Method](/docs/auth/aws.html)
- [Azure Auth Method](/docs/auth/azure.html)
- [GCP Auth Method](/docs/auth/azure.html)

### Trusted Orchestrator

In the **Trusted Orchestrator** model, you have an _orchestrator_ which is
already authenticated against Vault with privileged permissions. The
orchestrator launches new applications and inject a mechanism they can use to
authenticate (e.g. AppRole, PKI cert, token, etc) with Vault.

![Trusted Orchestrator](/assets/images/vault-secure-intro-3.png)

**Use Case**

When you are using an orchestrator tool such as Chef to launch applications,
this model can be applied regardless of where the applications are running.

**Reference Materials:**

- [AppRole Auth Method](/docs/auth/approle.html)
  - [AppRole Pull Authentication](/guides/identity/authentication.html)
  - [AppRole with Terraform and Chef Demo](/guides/identity/approle-trusted-entities.html)
- [TLS Certificates Auth Method](/docs/auth/cert.html)
- [Token Auth Method](/docs/auth/token.html)
  - [Cubbyhole Response Wrapping](/guides/secret-mgmt/cubbyhole.html)



## Next steps

Read the reference materials listed for secure introduction model best suited
for your use case.