Is it worth it?
Every web application has some secrets. By secrets, I mean sensitive values the application requires to work correctly, such as API keys, security credentials, encryption keys, certificates, or any other sensitive data.
Secrets need to be stored securely – putting them directly into the code is just wrong! There’s also a set of standard features around secrets management: rotation, permissions, and access logs. That’s why a new software product category emerged during the last few years. The secrets management space includes tools like Hashicorp Vault, AWS Secrets Manager, Azure Key Vault, and SaaS solutions like CyberArk.
Hashicorp Vault seems to present itself as an industry leader. Let’s check if it’s the right choice for you.
I will compare Hashicorp Vault & AWS Secrets Manager to serve as an example of how such solutions may differ.
The good parts
During secret rotation, AWS calls the same Lambda function 4 times, each time with different parameters. The function is executed with the following parameters:
Hashicorp Vault is offered in 3 pricing models:
- OpenSource – a self-managed, always free version;
- Cloud – managed version, hosted on AWS, although support for Azure is already in beta;
- Enterprise – offers additional features and advanced deployment options.
A lot of points described below are a consequence of this decision.
Vault gives you more flexibility in terms of deployment than cloud providers’ solutions. It’s a cloud-agnostic solution that can be used in multi-cloud/hybrid-cloud configurations. It also can be deployed on-premise.
Vault offers an immense number of plugins aiming to support nearly all technologies. Moreover, its functionality can be extended with Secret and Auth Engines. Generally, if something is missing in the vault ecosystem, you should be able to deliver it on your own.
That’s an extreme point of Vault. If you need a given feature in the secrets management space, Vault probably has it. Let’s look at the most important ones:
- All major authentication methods and optional MFA;
- Granular Policies – that’s what I was missing a lot in AWS Secrets Manager;
- Dynamic Secrets with configurable TTL;
- Secrets Rotation;
- Secrets wrapping for one-time contractors’ access;
- Audit Devices – for logging access to secrets;
- Tokenization for sensitive data like Credit Card Number;
- Encryption as a Service;
- Highly configurable access rules based on metadata (e.g., only allow access to a set of secrets from 9 AM – 5 PM if requests come from 192.168.1.0/24);
- Control Group Authorization – only allows access to secrets after N approvals;
- Managed by API, CLI, Web.
Scalability and High availability
It requires configuration, but Scalability and High availability is other strong point of Vault. You can set up cross-datacenter, cross-region, or even cross-cloud replication.
Using Filters, you can restrict which data should not be transferred – great for GDPR use cases.
The not-so-good parts
Higher Total Ownership Cost for small deployments
Vault is Open Source, but running it is not free. First, you have to take a look at the Total Ownership Cost:
- You need the computing resources to run the service – that’s not free.
- You need to spend time debugging and fixing the service when it breaks – that’s not free.
- You need to spend time managing the product lifecycle, upgrading, and patching – that’s not free.
You can also check the Managed Cloud pricing model offered by Hashicorp. This approach charges you by the hour using one of a few Cluster Tiers (Development – $26/month, Starter/Small – $440/month).
To check the Vault pricing details, visit: https://cloud.hashicorp.com/products/vault/pricing
Conversely, AWS Secrets Manager charges you $0.40/month per secret – this can grow to significant numbers in large organizations, but it’s much cheaper for lower-scale usage.
Higher entry barrier
Hashicorp Vault is a powerful but complex tool. It has a much higher entry barrier than AWS Secrets Manager. To use Vault efficiently, you need to know its architecture, its concepts (Seal/Unseal, “Everything in Vault is path-based”), and basic building blocks like Secrets Engines, Tokens, Authentication Methods, Policies, Storage and Plugins.
You can consider the following certifications to gain and confirm your Vault knowledge:
As you can see, there’s a lot to learn. Of course, you can start simply, but to use Vault on production, you need to have a certain level of confidentiality and decent knowledge about the tool.
More configuration required upfront
Apart from knowing how to use the tool on production, you must also understand how to configure it. For example, you need to configure the high availability, take care of the Seal/Unseal mechanism, set up storage backup, and prepare Disaster Recovery plans.
Vault Managed Cloud reduces the complexity in that area, but still, it’s more complex than just using AWS Secrets Manager.
You need to keep in mind that incorrect configuration can lead to revealing secrets to bad actors or completely losing them. Both scenarios can lead to harmful consequences.
Is it worth it?
Suppose you have advanced requirements around secrets management, you are impressed by the Vault features, and most importantly, you are ready to invest in the Vault configuration and maintenance. In that case, it seems like the perfect choice for you.
On the other hand, if you need the essential secrets key-value store and basic policies and auditing are ok for you, there may be better choices than Vault.
If you don’t have any specific need right now and are just looking for an exciting technology to explore, I strongly recommend Vault. It’s an amazing tool, definitely worth investigating.