I'm using a fairly niche/small product to manage secrets at the moment but we're hitting scaling and response time problems for a globally distributed team.
We're already using AWS so we're tossing up using Secrets Manager instead and changing our tooling accordingly, but after starting down the path of using some of HashiCorps other products I'm wondering how Vault will go too.
If your challenge is just storing static secrets (think key/value), Vault is probably overkill for you today. Secrets Manager will work fine, or even a smaller KMS-based solution or something. We're working on making Vault a LOT easier to get started with so this probably won't be true for long, but its probably true today. But it is important to understand the tradeoffs of making these decisions.
The value of Vault is in the fact that it does so much more: dynamic secrets, automatic rotation, certificate management, encryption-as-a-service, etc. And that it integrates with so many systems: log in with AWS IAM, or K8S service principles, or OIDC (Google, GitHub, etc.). And it has a single policy and auditing system to back all this.
Usually Vault becomes VERY beneficial when you're juggling multiple "secret-like" solutions: diff password solution from key management from PKI etc etc OR you want to adopt more modern practices like dynamic credentials OR you want a way to centrally govern secret-like things.
Vault literally scales from solving the needs of a small team (static KV) to being used by some of the Fortune 10 to back their entire corporate secret, PKI, encryption, signing requirements in a centralized way. I think that's kind of neat.
Other than that, I have my GCP account credentials (in 1Password) and my terraform state in... terraform.
Is this a use case for Vault to consolidate? I guess I can't see how I would "outgrow" the above setup.
Thanks for all the great Hashicorp products! Terraform is incredible.
i.e. I would like to use the PKI from vault but the key of the CA has to live in an HSM.
https://learn.hashicorp.com/vault/operations/ops-seal-wrap is a guide linked at the bottom
And even though the rest is then in software (Vault) I still have the same FIPS level as the HSM?
Vault shines when you want more dynamic secrets - issuing IAM creds from other forms of auth, issuing dynamic SQL db users, even issuing tls certificates.
Edit: damn, ninja'd
Even if you don’t require any of the more complex features (auto-rotation, transit encryption/signing etc) it gives you the option to build a roadmap towards getting there.
For anyone heavily using long-lived ACL tokens you will absolutely want to upgrade; there's a really, really nasty bug that was fixed in this release.
No judgement on its technical merits, frankly I don’t know it that well, but there doesn’t seem to be anyone incentivised to develop it any more.
(Here’s El Reg’s take: https://www.theregister.co.uk/2019/11/13/docker_enterprise_m...)