Users often have security challenges with adopting dynamic cloud-based infrastructures. These challenges are primarily around ensuring a zero trust approach that prevents secrets sprawl, secures against data breaches, ensures compliance, and scales in an ephemeral, distributed multi-cloud environment.
HashiCorp Vault allows them to do all of these things by providing a central, secure place to store and manage the secrets (API keys, passwords, certificates, etc.) that applications need in order to work with other applications and services, using an API-first approach to authenticate all requests, and provide secure access only to authorized resources.
In order to get secrets from Vault, your applications must integrate with Vault’s API. If you take a manual approach to this integration, your application developers need to write and consistently maintain application code to:
– Authenticate into Vault
– Fetch and manage secrets from Vault
For some Vault deployments, this isn’t a problem, and may actually be preferred. For example, if you have only a handful of applications or you want to keep strict, customized control over the way each application interacts with Vault, you might be fine with the added overhead of maintaining that code and making sure a member of each application’s team is trained to understand Vault and that code.
In other situations — typically in large enterprises — updating each application’s code base could be a monumental task or simply a non-starter for several reasons:
- If your organization has hundreds or thousands of applications you may not have the time, resources, or expertise to update and maintain Vault integration code in every application.
- Your organization may not permit the teams deploying some applications to add the Vault integration code, or any code. For example, certain legacy applications may be too brittle to allow the addition of Vault integration code.
- The applications (secrets consumers) and the systems (secrets originators) are, in many cases, managed by different teams. This makes coordinating the maintenance of Vault integration code into a clean workflow very difficult.
- Some teams are deploying third-party applications that are not owned by the organization, and therefore it’s not possible to add Vault integration code.
For those situations, we recommend a much more scalable and simpler experience — using the Vault Agent.
Ask us more about Vault Agent.