Nicolas Corrarello is a Regional Director for Solutions Engineering at HashiCorp based out of London.
Whenever adopting any new software products, there are always operational considerations. Particularly in the case of HashiCorp Vault, HashiCorp’s centralized secrets management solution, is a double edge sword, where the security is only as good as the governance around it.
Maintaining a complex set of policies in Vault generally requires collaboration within a number of personas:
A developer, or application architect, that requires access to a set of secrets.
A security officer, that reviews the policy and ultimately approves access.
An operator, that generally implements the policy.
A compliance officer, or auditor, that needs full traceability on the what, how and when policies were changed.
Above all things, policy changes need to be enforced, auditable, and easily tested. Policy needs to be versioned, and stored in a way where it can be underestimated easy scrutiny, because in this case, the more exposure policy gets, the easier to find problems with it. There is the need for a tool that can be imperative when it comes to policy, that can take any version of the policy and quickly evaluate the differences between the actual state and the desired state.
Finally, in an agile world, we need a way to ensure that policy can be evaluated quickly and integrated into Vault, reducing the time between the requirement and the implementation. Ideally, we would need to implement a workflow in software that allows to quickly request, validate, integrate, and push policy changes reducing the possibility of failures to be introduced while keeping a close loop.
Luckily, we have all the tools we need for that:
vault_policy
resource in HashiCorp Terraform makes it an ideal candidate to carry out the deployment for a number of reasons.
An example of this implementation can be found on this version control repository which contains this Jenkinsfile. In this case, the end to end workflow is described in a Jenkins Pipeline with the following steps:
Are you interested in telling others your HashiCorp story or perhaps how HashiCorp products helped with that amazing thing you built? Let us know. Email your story or idea to guestblogs@hashicorp.com
HashiCorp expands its client libraries to include Go & .NET. The Vault 1.13 release includes support for Go & .NET.
HashiCorp Vault 1.13 brings enhancements to team workflows, integrations, and visibility.
HCP Vault on Microsoft Azure is now generally available and supports production workloads running on Azure.