
Announcing Google Cloud Spanner as a Vault Storage Back End - petercooper
https://cloudplatform.googleblog.com/2018/02/announcing-Google-Cloud-Spanner-as-a-Vault-storage-backend.html
======
jlgaddis
Isn't Spanner outrageously expensive?

ISTR reading to basically avoid touching Spanner if you're just experimenting
or playing around, unless you are prepared to receive a very large bill
(something like ~$700/mo. just for the lowest-end setup).

~~~
puzzle
It's not outrageously expensive if you have hit the limits of of Postgres or
MySQL or need multi-region replication, but yes, for small amounts of data
there's too much overhead from all the redundancy.

Using it for Vault makes more sense if you are already storing other, larger
amounts of data. Then the incremental cost is much smaller and more than worth
it.

~~~
qaq
A Spanner setup that will outperform PostgreSQL on a hefty x86 box will run
you close to 150-200K a month.

~~~
puzzle
A hefty box is a SPOF, so that's an apple to oranges comparison. How do you
upgrade that machine to a newer Postgres version?

~~~
qaq
You generally run at least 2 instances

~~~
ec109685
No longer consistent.

~~~
qaq
?

~~~
ec109685
No longer consistent if you run two instances since a write may fail to
replicate after returning a success to the user.

~~~
qaq
PG had Synchronous Replication since like 9.2

~~~
ec109685
Then it isn't HA.

~~~
qaq
Patroni

------
seanieb
Some stellar marketing. GC should be offering Vault as a service. No one
should be running a critical service like this unless you have a team large
enough that can support it. Frustratingly AWS KMS + Credstash is as close to a
managed vault that's available right now.

~~~
krallja
Have you tried [https://azure.microsoft.com/en-us/services/key-
vault/](https://azure.microsoft.com/en-us/services/key-vault/)? I haven’t
played with it much yet, but it seems to tick the boxes.

~~~
seanieb
Thanks! I'll check it out.

------
manojlds
Seth joining Google seems to be beneficial for both the companies!

~~~
casey_lang
I had to do a double take on the author name. I didn't realize Seth had moved
but it certainly seems like a great fit.

------
paulfurtado
Does this remove the limitation that vault reads may only go through the
master on the non-enterprise vault version? The global replication is much
less useful if reads must go through a single server in a single region.

~~~
sethvargo
As of Vault 0.9.4, this is still the case. The leader services all read and
write responses. The Spanner backend does enable Vault to run in HA mode, but
only a single server will respond to requests.

If, in the future, Vault allows for multi-leader or at least read-only
followers to respond, the Spanner backend would support that. Unfortunately
this is a limitation in Vault's current architecture, and not something a new
storage backend can fix.

