#vault (2021-06)

vault Discussions related to Hashicorp Vault


contact871 avatar

Hi, is there a way to validate key/values on the KV Secrets Engine? Via Vault itself or some plugin mechanism? Since I’m populating secrets to environment variables, I would like to disallow multi-line values and also have keys in specific format.


sandermol95 avatar

Greetings wave

I am hoping someone can help me pinpoint the exact use-case for Hashicorp Vault. Some time ago I did some investigation on password managers as we where sharing website (service) logins with each other. For example admin accounts. This might not be ideal, but I thought a shared vault would already be better as sharing it through something like Slack. It also would less repetetive as anyone (with the right privileges) could look what is available in their shared vault…

On I go and found Hashicorp Vault. After some investigation I found out that Vault is not for company password management, but more to fetch credentials/secrets from service to service.

I was wondering why this was the case, I understand there are no toolsets like an browser extension that works with Vault or it little bit more cumbersome for non-techs to interact with this. But is the main principle still not the same of a K/V store? I would be convenient to use both Vault for the service-to-service and any human interaction to share passwords/secrets.

Yonatan Koren avatar
Yonatan Koren

Basically the big difference between password managers + K/V stores vs HashiCorp Vault is dynamic secrets. Imagine you have a database and you populate a username and password delegated to backend services connecting to the database into a K/V store. Now, when it’s time to rotate the secret, you’re going to have to coordinate both revoking the old password and ensuring that the backend services use the said password and not the old ones.

Some services may be instrumented in a smart enough way such that if their ongoing session fails, they’ll try retrieving the password from the KV store again and creating a new session. Vault actually removes the need from instrumentation by abstracting the fetching part via intermediary layers such as Vault Agent or the Vault Agent Secrets Injector for Kubernetes.

You could also do something similar with AWS Parameter Store and leverage an underlying bridge between your orchestration platform and the secret store, namely the AWS Secrets Store CSI Driver.

Vault caters to huge enterprises in that it is cloud agnostic. So If you’re on both AWS and GCP, maybe it makes sense to invest in Vault rather than both AWS Parameter Store and GCP Secret Manager.

This is a good blog post by one of the authors of Vault (and co-founders/co-CTOs of HashiCorp) detailing dynamic secrets: https://www.hashicorp.com/blog/why-we-need-dynamic-secrets

sandermol95 avatar

Thank you very much for this information

sandermol95 avatar

One additional late question: do you think then that Vault could also cater to the use case of non-service related shared credentials? Think about a login to a website. Or would something like this be better with something like shared Bitwarden groups? As the UI can also be used by non-tech savies.