SE Hangout

Solutions Engineering Hangout: A Frictionless Path to Dynamic Secrets for Cloud or Legacy Apps with Vault

Nov 12, 2018

There are several methods for replacing your applications' secrets with Vault dynamic secrets. HashiCorp solutions engineer Kawsar Kamal will cover several in this demo.


  • Kawsar Kamal

    Kawsar Kamal

    Senior Solutions Engineer, HashiCorp

You've installed Vault, but how do you find and integrate secrets into it once it's set up? HashiCorp senior solutions engineer Kawsar Kamal has a few answers.

This demo will introduce you to APIs and tools such as Envconsul and Consul Template, which enable frictionless integration with applications. What they can do is inject secrets into the environment that your applications are already looking at. If they have a configuration file that's sitting on disk, what you can do is set up these tools to automatically fetch the credentials that they need. You create a template, it throws them on the file system that the app is already looking at, and then you can run an orchestration command thereafter.

This demo will also show you an application deployed on AWS with access to a database service and Kawsar will discuss alternative methods for secrets management integration, such as the Vault Agent and CI tool.

» Outline

00:00 — Introduction

23:25 — Q&A

» Additional resources

Vault docs:

» Questions answered

  • Using Envconsul / Consul Template, how do you inject the new secrets into a legacy app dynamically as the lease expires?

  • What is the difference between Envconsul & Consul Template?

  • Under what circumstances does Envconsul restart the application? If restarting my service is prohibitive, it seems I should use the API directly instead of Envconsul.

  • How many secret calls can a Vault node handle per second? Or per min?

  • Which data sources does Vault support in addition to MongoDB?

  • Could you describe how you configure Vault to manage MongoDB credentials?

  • How does it work with apps that use data connection pooling?

  • How do you manage automatically regenerating and rolling out TLS certificates for legacy apps (Apache, NGINX, Java, etc.) using Vault PKI?

  • Can it be done 100% through Vault or is something like Consul Template necessary?

  • How does the service/app authenticate to Vault to obtain the dynamic credentials?

  • Dynamic secrets require Vault support for a particular service (e.g. MongoDB). What do I need to create to handle my own dynamic secrets integration with an internal, proprietary service?

  • Do Consul Template and Envconsul support .NET web applications and/or Java web apps? (Windows environment)?

  • What (Linux) capabilities does Envconsul need to work?

Stay Informed

Subscribe to our monthly newsletter to get the latest news and product updates.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now