Streamline Secrets Management with Vault Agent and Vault 0.11
Sep 12, 2018
The newly released HashiCorp Vault 0.11 includes ACL templates and Vault Agent—which give you secure, automatic introduction and management of the tokens used to access dynamic secrets.
- Jeff MitchellEngineering Manager, HashiCorp
The shift from static, on-premises infrastructure to dynamic, multi-provider infrastructure changes the way organizations need to approach security.
- Security in static infrastructure relies on dedicated servers, static IP addresses, and a clear network perimeter.
- Security in dynamic infrastructure is defined by ephemeral applications and servers, trusted sources of user and application identity, and software-based encryption.
This is the arena where HashiCorp Vault excels.
Vault 0.11 is the latest release of HashiCorp's open-source secrets management software. The new version streamlines secrets management by introducing Vault Agent, which simplifies applications’ access to secrets and solves the “secret zero” problem.
Additionally, as teams and organizations grow, so does their need for Vault to grow with them. The release of Vault 0.11 includes Vault Enterprise features such as Namespaces, which addresses the growing complexity around managing secrets at scale throughout an organization.
In this video, HashiCorp's principal Vault engineer, Jeff Mitchell, introduces and demos Vault Agent, Namespaces, and ACL templating, concluding with plenty of Q&A.
What you'll learn:
- What is Vault Agent?
- How does Vault Agent work with secure introduction?
- What are Vault Enterprise Namespaces and how do they work?
- What are Vault ACL templates and how do they work?
0:00 — Intro to Vault Agent
7:51 — Demo: Vault Agent
13:00 — Intro to Namespaces
18:00 — Demo: Namespaces
24:35 — Demo: ACL templates
32:10 — Q&A
Questions asked during this webinar
- Could you elaborate on what cubbyholes are, how they work, and some common use cases?
- Does Vault Agent become aware of the TTL (Time-to-live) configured on a Vault role as well?
- You mentioned that credentials aren't really necessary because auth agent "just uses the environment." Could you expand on that?
- Would the agent be able to see if a Vault password was rotated?
- Could you describe an example use case for Vault Agent where it reduces the complexity of using Vault?
- Will there be a way to do authentication against a custom auth plugin using the Vault Agent?
- Is the new Vault Agent using wrapped responses?
- Can the Vault Agent cache secrets from Vault in a secure manner? Is it on the roadmap?
- Is work ongoing to make Vault policy definitions and confguration fully manageable by Terraform? And reducing the security risks by writing sensitive data to
- You mentioned there being a theme of reducing operational burden for Vault 0.11. Do you see any features on the roadmap that will help automate configuration (i.e., creating and configuring secret engines, policies, etc.)?
- Any news on integrations between Vault Agent and Consul Template?
- Since both Vault and Consul can act as a CA (certificate authority) for SSH, would Vault be overkill for this if you are already running Consul?
- How does the Vault Agent token renew work in tandem with Consul Template, which can also renew token?
- Does the Vault Agent expose any metrics so it can be monitored for health?