Two AWS quick start guides for HashiCorp Vault on EKS and EC2 are now updated for compatibility with Vault 1.6.
We are pleased to announce an update to the HashiCorp Vault on Amazon EC2 and HashiCorp Vault on Amazon EKS quick start guides.
AWS quick start guides are built by AWS solutions architects and partners to help users deploy technologies on AWS, based on AWS best practices for security and high availability. The Vault guide helps users learn and implement an open-source HashiCorp Vault cluster in an AWS environment. This guide has been updated to include the latest version of Vault and incorporates important features that have been added since the previous version of this guide was published.
In this blog, we’ll explain which features have been added to the guide and the benefits they provide.
Integrated Storage is a storage engine built into Vault, removing the need for configuring and managing additional storage backends or services, and simplifying deployment and operations of production Vault clusters significantly. Vault’s integrated storage that is deployed in this guide provides users with data consistency. Unlike other storage backends, Integrated Storage does not operate from a single source of data. Instead all the nodes in a Vault cluster will have a replicated copy of Vault's data. Data gets replicated across all the nodes via the Raft Consensus Algorithm.
Vault’s auto unseal capabilities were introduced in the 1.0 release. When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on Vault, it must be unsealed. Vault’s auto-unseal feature delegates the unsealing process to AWS KMS. This guide deploys a Vault cluster with auto-unseal turned on via AWS KMS. This feature enables operators to delegate the unsealing process to AWS KMS to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters. For more information about Vault’s auto-unseal with AWS KMS, follow the Learn guide.
Vault’s 1.6 release included support for the AWS Certificate Manager (ACM) Private Certificate Authority. Vault users now have the ability to leverage ACM Private CA as its Certificate Authority provider for providing and managing root and intermediate certificates for performing certificate signing operations. In the case of this guide, users will secure incoming traffic to the VPC through an application load balancer, deployed with the guide, with a certificate from ACM Private CA. If users have another trusted Certificate Authority that they are using, there is also an option to provide a different Secure Sockets Layer (SSL). Implementing this trusted connection point is a critical component of enabling AWS’s autoscaling capabilities.
HashiCorp Vault on Amazon EKS quick start guide is designed to deploy a Vault cluster via Vault helm chart. The deployment wizard supports a number of advanced options to customize the installation such as the number of server pods and clients. This guide deploys Amazon EKS as a base layer, then it deploys Vault via helm chart with industry best practices for deploying Vault on Amazon EKS. For more information visit Vault on Kubernetes Deployment Guide and Vault on Kubernetes Reference Architecture.
These guides were updated in collaboration with the quick start team at AWS. They make it simple for users to get started using Vault for the first time or for deploying it into their existing environment. The goal for updating these guides is to ensure that users are aware of the latest features that Vault is offering. To get started using this guide, visit the Quick Start pages: HashiCorp Vault on Amazon EC2 and HashiCorp Vault on Amazon EKS.
For more information about Vault, please visit our product page.
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.
A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.