Hashicorp vault — Secrets Management
Let us understand what we meant by secrets even before diving into secrets management.
Secrets can be any piece of sensitive information which are used for authentication or authorisation purposes.They can be auth tokens ,usernames, db passwords, TLS certificates ,api tokens, etc.
Now, Let us understand some common problems or issues with our traditional secrets management and why it is important to understand them.
Secrets Sprawl:
Secrets can be on plain text everywhere like in our source code, hardcoded in properties files , password managers and all over our infrastructure. This state of having secrets in lots of different places is called secrets sprawl. Either they can be plain text or encrypted files, at the end all of these are going to reside in one of the SCM(source code management) like git.
Here comes the question to our mind : what is the issue of storing them in a SCM(source code management) and having secrets in multiple places?
- Audit: We do not know who has access to our secrets. Even though we would have restricted our repository to a certain team , it doesn’t mean everyone on the team has accessed the secrets and we are also don’t know when they have accessed which secrets.
- Access control: We do not have control over individual secrets on who can access, how much longer they can access it.
- Flexibility: If we wish to introduce a new tool to our application , we would be required to design a new strategy for exporting secrets.
- Complexity: As we move towards scaling our application and introducing more new services , maintaining secrets becomes increasingly complex. We have to manually maintain a document containing which credentials are used for which services and which all places it is being used .It would take much more time and complex to maintain as well as to make any change to our secrets.
Now that we understand the issues of the traditional approach, Let us see how Hashicorp vault is providing a solution for these issues.
Centralised System:
Common issue with the traditional approach is Secrets Sprawl. Hashicorp vault resolves this issue by providing a centralised system for all types of secrets.You can have all type of secrets at one single place.It provides the centralised system for storing all the secrets.You can integrate your monitoring tools, configuration tools, applications to this vault. It provides support for all of your tools and supports different types of secrets.
Below are few of the integration examples:
Ansible-Hashicorp vault integration
Here comes the next question: What about access control? Can we have strict access control on who can access which secrets ?
The answer is yes.
Strict Access control:
Hashicorp vault provides strict access control to your secrets. You can control who can access which secrets. Hashicorp vault achieves this using the policies concept.
path "secret/db/redis" {
capabilities = ["create", "read", "update", "delete", "list"]
}As shown above you can simply give path of the secrets and capabilities for a particular policy . Now, let us assume the policy name as “redis_db_admin”.
Now, we can attach this policy to whomever user or application these credentials are needed.
Follow this link for more documentation : HashiCorp vault Policies.
Now, let us see how we can have an audit log of each interaction that happens with the vault.
Audit:
Hashicorp vault provides an easy way of enabling or disabling audit logs for your interactions with the vault.
vault audit enable file file_path=/path/to/file.txt
You can also forward your logs to a socket or you can use any log forwarder like splunk to track your logs
You can follow this documentation for more details here
Dynamic secrets:
Hashicorp vault gives us the flexibility of having dynamic, short lived like 30 days by default.These dynamic secrets won’t be present until they are read. They are created at the time of reading them. So, there is no risk of stealing them or another client using the same secrets.
Conclusion:
- It supports dynamic secrets
- It’s having Audit logging
- It has Strict a Control
- Multi platform integration support
- Secure Secret Storage
- Revoke mechanism
Would you like to try all these features by yourself, then here is the link for installation steps: Vault installation guide.
