Fetch OpenID client_secret from Vault Service

Hi, we are in the process of integrating OpenID to connect our OpenSearch cluster with an identity provider. To facilitate this integration within the security dashboard, it is necessary to configure the client_secret in the opensearch_dashboard.yaml file. However, as this secret pertains to the client’s application, we are concerned about storing it in plain text within the YAML file.

To enhance security, we are considering retrieving the client_secret from a vault service instead of storing it directly in the configuration file. Could you please advise if integrating with the vault service is the recommended approach, or if there are alternative solutions that would better suit our requirements?

Hi @Kanika,

Have you considered using env variables?

Something like per:


Hi @Mantas, thanks for the quick reply. Yes we considered using env variables but it again has security concerns because we will have to set client_secret has an env variable in the plain text.
Additionally, since this secret belongs to the customer, we wouldn’t be aware of when they rotate it.

@Kanika, I am not aware of any solution that would meet your requirements, you might want to look into some “Vautl services” that can update Env variables, but keep in mind any OpenId credential update will require a reboot.