What is Hashicorp Vault, and why you should care if you are a developer?
Storing Sensitive Credentials
Let’s say you are a developer working on a project with a database for a backend, and your frontend application needs to authenticate to the backend database every time it wants to read/write/update data to the database. How would you store the database authentication credentials? Most of the time, developers store these credentials as environment variables or hardcoded values in their code. Doing so is an insecure way to handle sensitive data. If a malicious user gets access to the code repository, they will use the credentials to access the database and steal the data from the database.
What if?
What if there is a better way to store sensitive credentials needed for your project? Let’s expand on the above example. Assuming your application is stored in an AWS EC2 instance, we can use the AWS authentication method to authenticate your application with Vault. When configuring the AWS auth method, we can restrict the requests to a specific CIDR block(s). Therefore, authentication requests from IP addresses outside the range of the CIDR will not be able to authenticate with Vault. The frontend application can use an AWS access_key and secret_key to authenticate with Vault. Once authenticated, the frontend application can request the access credentials for the database. These credentials can be dynamically generated using the Vault Database secrets engine. It is better to use dynamically generated secrets whenever it is possible to do so. Now the frontend application can authenticate with the database and perform any authorised actions bound to the secret. The above workflow is a much safer authentication workflow.
What is HashiCorp Vault?
Vault is a secret and encryption management system. You can store secrets, dynamically generate secrets with specific privileges, and encrypt data before storing.
Authentication:
A Vault user can use provided authentication methods such LDAP, JWT, AWS, Azure, GCP, etc., to authenticate to Vault. When users authenticate to Vault, they have a set of privileges assigned to them using policies. A user can perform specific actions based on the privileges, such as accessing stored secrets or requesting a dynamically generated secret.
Secrets engine:
Secret engines can store, generate, or encrypt data. For example, the Key-Value secrets engine stores secrets and the AWS secrets engine can dynamically generate one-off short-lived secrets to provide access to a specific AWS service.
If you want to learn more.
I’m not going to explain all the features and services Vault offers. That is not the intended purpose of this article. I want to make people aware of Vault and show them that they can use Vaults’ features to improve their organisation’s security posture.
Let’s build development workflows and applications with a better security posture.
If I’ve managed to spark your interest in Vault, you can visit HashiCorp Vault website to learn more about it.
Coming in the future!
If I piqued your interest, please keep an eye out for this space. I will publish more articles explaining Vault architecture, authentication, and secret engines over the coming weeks.
