The Vault team is quickly closing on the next major release of Vault: Vault 0.11. As we approach the release we will preview some of the new functionality coming soon to Vault Open Source and Vault Enterprise.
This post will focus on Vault Agent: a new feature in all versions of Vault that manages the process of secure introduction and the management of tokens for accessing dynamic secrets.
One common challenge we've heard throughout Vault's life is something we call within HashiCorp the "Secret Zero Problem". Securely introducing a secret into an application or local environment can be challenging for users uncomfortable with significantly altering application logic.
If that secret is a dynamic secret, and the token granting access for that secret must be refreshed on a given interval, then implementing logic to properly maintain access tokens for that secret's availability can become complicated.
Vault Agent is a solution to the Secret Zero problem of secure introduction. Agent allows you to configure a Vault binary to automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
Agent permits this by allowing users to configure Auto-Auth for a configured Auth Method with a local Vault Binary. Auto-Auth will allow Vault Agent to handle token renewal for them and Agent will also intelligently deal with connectivity issues and other edge cases around token renewal that could lead to performance or accessibility issues for Vault users or applications.
Once authenticated, Vault Agent interacts with a sink: a designated local repository for access tokens. Vault Agent will ensure that the tokens deposited into the sink are always fresh and available for local applications and users to use in accessing secrets or workflows within a Vault server. This obviates the need for users or applications to write logic managing token renewal, allowing them to simply point to tokens within a sink when making requests via the Vault API or another framework communicating with a Vault server.
With the launch of Vault 0.11, Vault Agent will primarily focus on file paths as a sink. However we will likely expand options in future versions of Vault.
Vault 0.11 contains Vault Agent and a host of other features, such as Namespaces. For more on Vault, see the Vault changelog and stay tuned on the HashiCorp Vault Blog.
New Sentinel HTTP import capabilities in Vault Enterprise 1.5 enable new sophisticated governance policies. See it in action.
Try HashiCorp Vault as a managed cloud service by signing up for the HCP Vault private beta.
Developers no longer have to make their Lambda functions Vault-aware.