HashiCorp Vault 1.15 adopts Microsoft Workload Identity Federation
HashiCorp Vault 1.15 improves security by adopting Microsoft Workload Identity Federation for applications and services in Azure, Google Cloud, and GitHub.
Microsoft’s primary method for managing identities by workload has been Pod identity. However, the company’s Pod identity technology and workflows are being deprecated and will not be supported after December 2023. Microsoft will continue to support identity workflows with its Workload Identity Federation (WIF) product, which was released as part of Vault 1.15 to deepen Vault’s integration with MS Azure.
In this post, we’ll take a deeper look at the advantages and caveats of WIF.
» What is Workload Identity Federation (WIF)
In Azure, workload identities are assigned to software workloads such as an application, service, script, or container, to authenticate and access other services and resources. WIF makes it easier for developers to access Azure resources from applications and services operating in Kubernetes or other cloud providers by removing the need for secrets in some scenarios. Developers can configure Azure AD applications and services to trust tokens issued by other identity providers, such as HashiCorp Vault. The tokens can then be leveraged to access resources in those applications.
» Identity federation versus secrets
Developers creating applications that require secrets face several questions:
Where to store secrets?
- Many secrets continue to be stored in an insecure manner, checked into repos or shared within collaboration tools. To securely manage secrets, developers need to leverage a vault.
How to mitigate password leakage?
- It’s not enough to store your secrets securely. Secrets should be set to expire so they get rotated regularly.
How to reduce or eliminate service downtime associated with secrets rotation?
- Developers need to leverage a management tool that facilitates secrets rotation while reducing the risk of downtime.
WIF resolves these concerns and removes the need for developers to deal with the burden of secrets management; storing secrets securely and rotating them regularly. The secrets are managed by the Azure platform, simplifying the developer experience. However, workload identities have a few limitations:
- Only 20 federated credentials can be added to an identity. If more than 20 are required, you must use more identities.
- Federated tokens must be signed with RS256.
- Managed workload identities in certain regions will not support federated credentials, see the Microsoft documents page for the updated list.
» Learn more about WIF
Microsoft’s Workload Identity Federation will continue to provide developers with a powerful tool to secure their applications and services. To learn more about workload identities, please visit our developer documentation.
Sign up for the latest HashiCorp news
More blog posts like this one
Vault 1.18 introduces support for IPv6 and CMPv2 while improving security team user experience
HashiCorp Vault 1.18 brings UI support for AWS Workload Identity Federation (WIF), PKI CMPv2 for 5G, and more.
False positives: A big problem for secret scanners
False positives can distract security teams, exhaust resources, and increase the potential for actual threats to go unnoticed, but HCP Vault Radar can help minimize them.
Integrating Azure DevOps Pipelines with HashiCorp Vault
Use Microsoft Azure DevOps’ workload identity federation (WIF) feature to seamlessly integrate Azure DevOps pipelines with HashiCorp Vault