The project is nice, but I'm gonna have to stick with Vault as I like the flexibility of storage backends and not locked into AWS for enterprise-y apps that can't go to AWS.
How does Vault verify the identity of the host requesting access to the credentials? I didn't find anything in the documentation that would give me information pertaining to that.
It doesn't, at least not by itself. There are ways to make it work, though, if you're clever. We've got an internal daemon that watches for instance launches via SNS notifications (published to an SQS queue); the daemon then requests a bootstrap token from Vault on behalf of the new instance and passes it to the instance via another SQS queue.
The new instance then consumes the bootstrap token from the queue and exchanges it for whatever other tokens it has permission to obtain.
This is also similiar to Sneaker (https://github.com/codahale/sneaker), which is written in Go. It doesn't copy to other regions by default, but it's not hard to handle that on your own. This also uses KMS, but stores encrypted secrets in S3.
I prefer credstash (https://github.com/fugue/credstash) which uses KMS and stores encrypted values in dynamodb. It has built in ansible support via lookups too!
Somewhat off-topic, but I read dcoker's username as docker at first and was fairly confused as to why docker was producing something like this just for AWS.