HashiCorp Vault 1.15 improves security by adopting Microsoft Workload Identity Federation for applications and services in Azure, Google Cloud, and GitHub.
Microsoft’s primary method for managing identities by workload has been Pod identity. However, the company’s Pod identity technology and workflows are being deprecated and will not be supported after December 2023. Microsoft will continue to support identity workflows with its Workload Identity Federation (WIF) product, which was released as part of Vault 1.15 to deepen Vault’s integration with MS Azure.
In this post, we’ll take a deeper look at the advantages and caveats of WIF.
In Azure, workload identities are assigned to software workloads such as an application, service, script, or container, to authenticate and access other services and resources. WIF makes it easier for developers to access Azure resources from applications and services operating in Kubernetes or other cloud providers by removing the need for secrets in some scenarios. Developers can configure Azure AD applications and services to trust tokens issued by other identity providers, such as HashiCorp Vault. The tokens can then be leveraged to access resources in those applications.
Developers creating applications that require secrets face several questions:
Where to store secrets?
How to mitigate password leakage?
How to reduce or eliminate service downtime associated with secrets rotation?
WIF resolves these concerns and removes the need for developers to deal with the burden of secrets management; storing secrets securely and rotating them regularly. The secrets are managed by the Azure platform, simplifying the developer experience. However, workload identities have a few limitations:
Microsoft’s Workload Identity Federation will continue to provide developers with a powerful tool to secure their applications and services. To learn more about workload identities, please visit our developer documentation.
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.