AVIO Insights

Secrets Management with HashiCorp Vault

HashiCorp Vault is an excellent tool for secrets management. It’s ideal for storing sensitive configuration properties like API keys, encryption keys, and passwords. It offers automated yet secure access to data, making it the perfect place to store all your sensitive data.

In addition to the HashiCorp Vault Connector, AVIO offers the HashiCorp Vault Properties Provider, an easy and fast way to integrate HashiCorp Vault and the first step in your enterprise’s digital evolution.

This open-source tool achieves its high level of security by combining authentication methods like tokens to secret engines like simple keys/value pairs. It uses policies to control access and encrypts data by using key sources like libraries and cryptography modules.

To configure your vault, you can use any of a number of ways, including:

  • Spring Cloud Vault

  • Spring Boot

HashiCorp Vault Storage Backends

You can dynamically generate database credentials using HashiCorp Vault database secret backends. As a result, it would no longer be necessary for services that need database access to configure credentials. They would simply send a request for them from Vault.

HashiCorp Vault supports more than 15 storage backends. You choose the storage backend to use based on the type of vault deployment you are undertaking. If you want to quickly get started with HashiCorp Vault, In-memory and filesystem storage backends are excellent options. Other storage backend options would require an external service or server to start using them.

Management of Vault Secrets

You can use Vault to manage both static and dynamic secrets like usernames for remote resources/applications and provide access credentials for MongoDB, AWS, Apache Cassandra, MySQL, PostgreSQL, and other external services. Vault also offers users the option to use Vault secrets instead of password and username properties or similar properties like an AWS access key ID and secret access key.

It is a good idea to limit the extent to which your developers have access to secrets. This is because they could be tempted to find a decryption key. That said, every integration developer will have to work with secrets at some point.

From API keys to sensitive environment variables and database credentials. Some companies store secrets as encrypted values in a single private repository on Git. In such cases, one developer could be managing hundreds of secrets.

Most companies store their secrets in certain files with a particular project, but other times they’re stored separately in a repository. For business organizations that use private code repositories, it is not uncommon to find that they store their secrets unencrypted. In addition, the secrets will often be duplicated, making managing them a time-consuming undertaking.

For the most part, the properties files will contain sensitive data or information that is directly related to sensitive information. In most cases, they will have the necessary information to indirectly help someone with bad intentions find their way to the sensitive data that they need to wreak havoc.

New call-to-action

Authenticating with Vault

HashiCorp Vault adoption is often incremental. The first step involves moving your secrets into the vault so that can be securely stored and encrypted. The next step involves updating your applications’ behavior to make it possible for the secrets to be read from Vault.

Clients seeking to create a connection with Vault must complete the authentication process with vault and acquire a token. You can reduce the burden of managing Vault client tokens from distributed applications by using the Vault agent.

After completing the authentication process successfully, Vault clients can go ahead and interact with the vault. A good number of Vault users use the Consul Template to reduce the number of changes that would need to be introduced to their applications.

The authentication mechanisms available to users include AppRole, which requires all applications to provide a dynamically generated secret ID as well as a static role ID before being granted access to secrets. The authenticating service or machine is then given a set of policies that allow access and retrieval of the necessary secrets.

Secret IDs TTL

The secret IDs generated do not last forever. Instead, they have a certain time to live (TTL) before expiration. To read again from the vault once the TTL expires, services have to renew their secrets.

This need to renew secret IDs now and then grants Vault insights into how secrets are being used. In addition, the use of dynamic secrets gives access to particular systems that have a built-in lease without disclosing those systems’ credentials to the client.

On top of that, it is possible to revoke both the dynamic and authentication secrets at any time. This combination of features offers users unparalleled access control and gives them in-depth insights into secrets’ usage.

To integrate with Vault, you will need the following:

  • Vault CLI

  • Docker

  • Vault properties provider

Users can retrieve values from the vault using the Vault properties provider. First, you have to use this format to reference values from Vault:

${vault::<secret_engine_path>/<secret_path>.<field_name>}

 

When the application starts, properties will be loaded from the vault. Therefore, the application has to be started to retrieve the new values that the Vault will have generated.

Policies in Vault

In Vault, policies are what governs the behavior of instrument and clients RBAC (Role-Based Access Control), It does this by specifying the level of authorization (access privileges). Policies’ creation in Vault follows this basic workflow:

  • Gathering policy requirements

  • Writing policies

  • Testing the policies

To do this, you must ensure your Vault server is initialized and unsealed.

If you’re creating an admin policy, you will need to log in with root token. If not, you will need an array of permissions, including:

{  capabilities = ["create", "read", "update", "delete", "list", "sudo"] } to manage auth backends.

{ capabilities = ["create", "read", "update", "delete", "sudo"] } to create, list, update, and delete auth backends.

 {  capabilities = ["read"] } to list your policies.

AVIO has the expertise necessary to design for your business the perfect path to making the most of HashiCorp Vault for business acceleration. 

AVIO Consulting provides the formula to accelerate digital evolution and innovation. We offer thought leadership and proven practices for modern software development as well as a highly productive delivery team focused on enterprise integration with the MuleSoft platform.

New call-to-action

3 minute read