As organizations adopt one or more public clouds they are faced with the challenge of securely providing access to secret material, such as usernames and passwords, API tokens, encryption keys, and TLS certificates. This problem is known as secret management, and there are several primary challenges:
Vault was created to solve the secrets management challenge while brokering access across a diverse and growing set of environments, clients, and systems.
Vault provides a consistent API, user and group management, authorization policies, and plugin architecture. The plugin architecture allows Vault to be easily extended to solve the brokering challenge across a few different categories:
Many cloud providers expose API tokens to running instances, usually via a metadata API. This allows applications to easily make requests to cloud services, such as blob storage, without needing to explicitly manage tokens. This is very convenient for single tenant VMs running in a single cloud, but falls short for multi-tenant or multi-cloud architectures.
Imagine an application running in both AWS and GCP which needs access to both AWS S3 and GCP Cloud Storage. Each application instance can only run in one place, meaning it only has tokens for one cloud. Vault solves this problem, by allowing the clouds to be both an Authentication and Secret plugin.
Suppose an application is running in AWS, and needs GCP API tokens, here is how it would work:
Here we can see how Vault helps broker access within a cloud, but also across them. This can simplify building multi-cloud applications. Chandler Allphin of Adobe gave a talk at HashiConf 2017 about their usage of Vault to solve just this problem.
With each new public security breach, organizations are increasingly interested in improving their security posture. Assuming your network has been or will be compromised forces a new approach to secrets management, where access is carefully gated and audited. Vault provides a solution that is highly flexible, and can support the wide range of environments, clients, and systems that exist.
Learn more about Vault: https://www.vaultproject.io
HCP Vault Radar, HashiCorp’s new SaaS-based secret scanning and discovery product is now prepared for production workloads.
In this blog post, we’ll look at practical public key certificate management in HashiCorp Vault using dynamic secrets rotation.
Discover how HashiCorp Developer Advocate Rosemary Wang uses HashiCorp Boundary on live streams to automate access to servers and record commands to build into future automation.