HashiCorp’s Vault

Hashicorp’s Vault is a Secret Management tool which tightly controls and secures the secrets. It’s high availability architecture, security and the simple GUI makes it a point to look at this product just like consul(check out my previous article).

Let’s take a peek on how this works –
When we talk about secrets, most of the time we are referring to passwords. It’s really critical on how we manage passwords in the code. Vault, literally makes it easy for a developer, as there is nothing for them to do except that they call a API to retrieve the password. Sound’s simple isn’t it ?!
  So, now again what does vault do to store and secure them?
Vault stores values in Key-Value format, our favourite. So once you store the secret in vault, it’s encrypted. To read back the value you need a token, and to generate the token you need to create a policy. Policies are nothing but permissions you grant to the token and they are written in JSON format. We would then create a simple read policy and generate a token for that. Using this token and the appropriate vault API, we will be able to read the secret. Things to remember here –
a. All the tokens in vault will expire based on their TTL.
b. Only the root token in vault will not expire.

This Architecture of Vault and Consul is from Hashicorp’s website

Vault servers work in Active and Standby mode –
As we have multiple vault servers. One will be active and the other will be standby. If the active is down then the standby become active. All traffic is directed to active vault. To check if the vault is active or standby use this command – vault status

The above explanation was based on token authentication. Vault has many Auth Methods apart form this. Let’s take a look at App Role auth method of Vault.

Accessing secrets using app role –
App role needs the following to authenticate to vault
– static role id
– dynamic role id
Here’s how it is done –
– Create a policy.
– Create a role and attach a policy to it.
– Now create a role id this will not change as this is static.
– Using the role id you generate a secret id every time.
– Using the secret id and role id we then create a token.
– This token is now used to access it.

Refer to the Hashicorp’s vault documentation on other types of Auth methods and use the best one that suits your scenario.

As you see Vault does everything for us. So, is there anything we should be doing? Yes! One thing. As I mentioned above that the tokens expire, we should plan a strategy on how often the tokens should expire and get it rotated for an efficient workflow.

Finally, WHY VAULT?

  • Vault’s architecture is highly available.
  • Fault tolerant.
  • Tightly manages secrets with multiple security layers.
  • Data is encrypted.
  • Simple open source product with an open source UI.
  • HashiCorp provides support for enterprise versions.
  • Easy to use.


Published by Ritesh Kumar Reddy

I(Ritesh) work as a Sr. Cloud Engineer for a living. Learning new technologies has always been my hobby. Why not share it? Here is the brainchild – blogging to share the knowledge. This blog is for those who wish to start or already into the Cloud field. Each article briefly talks about a tool/technology that is used in the Cloud model. Once you read the article, I hope, you get a kick start regarding the specific tool/technology.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: