HashiCorop Vault — An Overview of Day to Day Use Cases
The HashiCorp Vault is the secret management slice of the HashiCorp stack. The Vault act as a central secret manager as its main function. But there are lot more features being added and more are on the pipeline. My appreciation to HashiCorp as an organization who believes in Open Source and make Vault on of them.
Why Vault? What make vault special?
The first answer would be, it is open source project which has almost everything in the OS version and back by a well-established organization for enterprise support if you need to have. Another reason is an API driven architecture which make Vault fit in to any kind of environment who can talk via https. It has wide range of operating systems support and module-based integration which make easy to associate with many other tools. Finally, vault is a single binary executable. Yes, you heard it! rest of all other competitor’s products are coming with a complex installation process. Vault implementation is simple but strong in terms of data security.
What problem Vault is going to resolve?
As we all do and know, service account secrets, access tokens, db connections strings etc are just lying there for a long time without a rotation. Sometimes it may be forever static secret. One of the main principles of vault is, issuing short TTL valid secrets. The other main pillar is rotate secrets frequently. Therefore, the attack surface will be minimum, and we don’t need to worry even the credentials leak in a place a log file, because it will be invalidated once the job done. Another main issue we are facing is machine credentials. There are many ways to human can interact with authentication, but machines have few. Most of time machine to machine (M2M) use static token or credentials to authenticate them. The Vault provide a nice way to M2M authentication inheriting same short TTL, rotatable and least privileged features.
A few day to day use cases
I’m going to discuss here few of real-world scenario of Vault which is interesting and useful in many ways. Here the list of topics going to discuss and how to article will be as part of the series.
- Vault as a central secret store:
In many organizations doesn’t take seriously and implement a proper tool to store confidential information related to IT assets and their infrastructure. Typical all the hostname, IP, non-dictionary credentials etc are stored in excel or kind of files. It is difficult to implement level of security and encryptions & central management from such legacy way. Here Vault come into picture and alive the problem. If you can provide redundant high available infrastructure, vault kv secret engine will serve the purpose of multilevel protected central secret management solution without complexity. The good thing is you don’t need any budget for this but a good infrastructure as per your organization’s requirements. - Vault as a dynamic password proxy for AD:
Microsoft AD is the one of widely adopted directory service in the world. It has many great security features and there is no doubt about it. But when comes to service accounts and automation workflow related credentials, there is nothing AD can do since there is no way to let other party to know about the change. This make a big security and operational problem to any organization. HashiCorp Vault can act as a kind of a proxy in between the machine users or workflows to provide credentials on behalf of AD. Then, Vault will leverage it is strong security feature to AD credentials and provides short TTL credentials as well as rotate them as needed. Not only these features but also the password can be governed as per the organization’s password policy. - Vault as a dynamic AWS access token issuer:
The AWS IAM also has access key same as Microsoft AD credentials. Apart from the AWS STS service, the same problem remains here too. Access key won’t rotate by automation workflow unless taking manual intervention. The problem becomes more critical when you have more AWS accounts, unless AWS organization in place. Vault can leverage AWS STS assumes roles and session-based token to extend it is feature to central manage token issuer for all AWS accounts. The Vault will take care of issues least privileged tokens and make then revoked once job done. At the end you won’t store access keys in AWS IAM as well as automation workflows while authentication is keep going smoothly. - Vault as a machine to machine (M2M) authenticator:
This is the most interesting part of the Vault authentication feature. When machines need to talk each other, there should be a way of authentication. In most of cloud environment this is possible calling through the international identity system. But when comes to on premise or virtualization platform we need to hard-cord credentials. Imagine scenario like Web server needs access to DB, CI server talk to hypervisors to deployment, Script process need secrets from Vault etc. In that case there should be a start point even Vault implementation there to policed dynamic secrets. There are features in the vault to solve these problems. Vault support many DB engine to provide dynamic secrets and support approle/OIDC/JWT authentication for machine to machine (M2M).
Above are few examples of how HashiCorp Vault solve day to day secret management problems. I hope this article added a value for you knowledge and would like to discuss more about those features in depth in future.
Happy Vaulting ! 🗄🔐😃
