How Does Vault Help You Secure a Microservices Architecture?
Dec 16, 2019
If you have microservices springing up in a variety of environments, you need something agile enough to supply your secrets across those environments. That's Vault.
Senior Solutions Engineer, HashiCorp
How does Vault help you secure a microservices architecture? This is a great topic for anybody who's migrating their infrastructure or their applications into microservice frameworks, or if they have mixed environments. The beauty of Vault is that it's both cloud-agnostic and application framework-agnostic, so you're not relying on a run framework in order to store your secrets. You have something that could span any types of applications you have.
If you have things that are running on bare metal, that's great. But as you start migrating them into containerized microservices, you have a set of challenges that are a little bit different than what you had previously.
» Microservices demand better secrets management
One of the major issues that you're going to have is scalability. The traditional way of delivering secrets to machines was through something like a configuration management system, like Puppet or Ansible. But as we start moving into microservices, it's very possible that those microservices are going to come alive in a variety of different environments and very quickly be able to migrate from machine to machine.
What you need is something that's agile enough to supply your secrets in that kind of an environment, and Vault has a very rich API to be able to access things within those environments. But not only that; it has very flexible authentication methods, so if you're running in Nomad, or inside of Kubernetes, there are direct plugins to allow you to authenticate systems with Vault to be able to retrieve secrets.
» Automatic authentication with Vault
If you're running inside clouds, which are very popular these days, Azure or AWS or GCP for that matter, even Alibaba and Weiwei clouds, also have plugins to allow you to do automatic authentications into Vault.
What you have is this rich framework in which to both retrieve and store secrets in a very easy manner. As you get to thousands and thousands of microservices, it's very difficult to manage those things by hand, so having some way of automatically retrieving something through a very high-throughput-capable, API-driven system is very favorable. And Vault is able to answer all of those types of requests.
» Better security with dynamic secrets
One of the other really cool concepts behind Vault is dynamic secrets. And when we talk about secret sprawl, the ability to have the same username and password distributed out across your fleet allows an attacker to attack one insecure area and then gain secrets across your entire environment.
Dynamic secrets changed this paradigm a little bit by having each of your endpoints get its own username and password for the entity that you're trying to get access to. So if somebody were to pivot off from another system and gain access to a less-secured microservice, they couldn't get access to the rest of them.
Most of these dynamic secrets are timebound and easily revocable, so if you notice that there's an issue or a breach inside your environment, you can revoke one secret, while all the rest of your applications have other usernames and passwords. You don't have to worry about restarting your whole fleet or taking your whole fleet of environments down.
It can help mitigate a little bit of risk by spreading out the surface area in which your secrets are installed.