Hashicorp’s Vault is a Secret Management tool which tightly controls and secures the secrets. It’s high availability architecture, security and the simple GUI makes it a point to look at this product just like consul(check out my previous article).
Let’s take a peek on how this works –
When we talk about secrets, most of the time we are referring to passwords. It’s really critical on how we manage passwords in the code. Vault, literally makes it easy for a developer, as there is nothing for them to do except that they call a API to retrieve the password. Sound’s simple isn’t it ?!
So, now again what does vault do to store and secure them?
Vault stores values in Key-Value format, our favourite. So once you store the secret in vault, it’s encrypted. To read back the value you need a token, and to generate the token you need to create a policy. Policies are nothing but permissions you grant to the token and they are written in JSON format. We would then create a simple read policy and generate a token for that. Using this token and the appropriate vault API, we will be able to read the secret. Things to remember here –
a. All the tokens in vault will expire based on their TTL.
b. Only the root token in vault will not expire.
Vault servers work in Active and Standby mode –
As we have multiple vault servers. One will be active and the other will be standby. If the active is down then the standby become active. All traffic is directed to active vault. To check if the vault is active or standby use this command – vault status
The above explanation was based on token authentication. Vault has many Auth Methods apart form this. Let’s take a look at App Role auth method of Vault.
Accessing secrets using app role –
App role needs the following to authenticate to vault
– static role id
– dynamic role id
Here’s how it is done –
– Create a policy.
– Create a role and attach a policy to it.
– Now create a role id this will not change as this is static.
– Using the role id you generate a secret id every time.
– Using the secret id and role id we then create a token.
– This token is now used to access it.
Refer to the Hashicorp’s vault documentation on other types of Auth methods and use the best one that suits your scenario.
As you see Vault does everything for us. So, is there anything we should be doing? Yes! One thing. As I mentioned above that the tokens expire, we should plan a strategy on how often the tokens should expire and get it rotated for an efficient workflow.
Finally, WHY VAULT?
- Vault’s architecture is highly available.
- Fault tolerant.
- Tightly manages secrets with multiple security layers.
- Data is encrypted.
- Simple open source product with an open source UI.
- HashiCorp provides support for enterprise versions.
- Easy to use.