Recorded Webinar

Vault 1.1: Secret Caching with Vault Agent and Other New Features

Watch HashiCorp demo the three major new features of Vault 1.1: Secret caching with Vault Agent, an OIDC authentication workflow, and transit auto-unseal.

Speakers

  • Nick Cabatoff
    Nick CabatoffSoftware Developer, Vault Core, HashiCorp

In Vault 1.0, users saw the open source launch of auto-unseal and the introduction of batch tokens, along with improved performance. Being a landmark "1.0" release also meant feature completeness, ecosystem integration, security hardening, and enterprise-readiness.

Vault 1.1 begins a new core mission to build a foundation of new infrastructure for delivering various advanced platform features. In 1.1, advanced features for improved workflows and scaling were introduced. Three of the primary features include:

  • Secret Caching with Vault Agent: Securely cache secrets for easy access to applications and edge services.
  • OIDC Auth Flow: Enable new authentication methods such as authenticating to Vault via OpenID Connect.
  • Transit Auto-Unseal: Auto-Unseal a Vault cluster from a separate Vault cluster via transit encryption.

In this webinar, Vault Core Developer Nick Cabatoff provides introductions to all of these features along with three demos to showcase each one.

Outline

0:00 — Overview of Vault 1.1 New Features

3:13 — OIDC-based Authentication

6:08 — Demo: AuthO OIDC

See additional tutorial on HashiCorp Learn: OIDC with Auth0

15:29 — Vault Agent Caching

21:23 — Demo: Agent Cache

See additional tutorial on HashiCorp Learn: Vault agent caching

26:34 — Transit Auto-Unseal Provider

29:47 — Demo: Transit Auto-Unseal

See additional tutorial on HashiCorp Learn: Transit Auto-unseal

32:56 — Q&A

All of the demos for this webinar can be found in this GitHub repo

Q&A

  • Will the OIDC feature support conditional access? e.g. different rights based on how someone/something authenticated?
  • Is the id token is signed?
  • Why do we need the sink file when we enable Vault Agent cache? Can vault_token be handled in memory by the Agent instead of the sink file?
  • Are there any plans to bring caching to the K/V store?
  • Can we enable transit auto-unseal without having to re-issue the current shards?

Slides

More resources like this one

Vault identity diagram
  • 12/28/2023
  • FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

  • 3/14/2023
  • Article

5 best practices for secrets management

  • 2/3/2023
  • Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones

  • 1/20/2023
  • Case Study

Adopting GitOps and the Cloud in a Regulated Industry