Secrets and Access Key Management
Secure your environment with a secrets manager. Make sure that your secrets are locked up, easily rotated, and managed through RBAC with Vault!
What are secrets, access keys, tokens, etc. in the developer world?
Secrets are generally pieces of information that are used to gain access into a system. Whether it be to login into a console, connect to an AWS account, API Tokens, SSH key pairs, TLS certificates, and even database credentials.
These secrets are generally used by two types of users, humans and system users. For instance my username and password to sign in to an AWS account can be managed through HCP Vault, but also the keys needed for a web application to communicate with a backend database can be managed through Vault as well. Another example is the credentials Terraform needs to provision infrastructure on AWS.
Why do they need to be managed?
Through the explanation and examples provided you may have gathered that these secrets must remain secret! In the event these keys fall into the hands of a bad actor, financial and personal damage can be done to an application and the users of that app. There can also be reputational damage after a data breach and potentially legal implications to the company/organization not securing these secrets. Securing them is of paramount importance which is where Vault comes in.
Normally you can find secrets stored locally on an engineer's computer, a shared password document, CICD pipeline environment variables, OS environment variables, or the worst way which is hardcoded into the application. This is called Secret Sprawl, where all secrets are scattered across the environment and difficult to track. It causes issues where you cannot manage who has access to secrets, the places where the secrets are stored are unknown, and the activity surrounding the access of those secrets is not tracked. Managing secrets in a centralized and secured location resolves all of these issues.
Another issue is what happens when a secret is leaked or exposed? The standard procedure would be to delete the old key and create a new one and to update the references of that key across the whole environment wherever it was used. Most of the previous methods that I have mentioned do not offer an intuitive way of executing this rotation of secrets.
There must be a way to replace the manual process of rotating secrets and update all components that rely on the secret simultaneously. That is where tools like AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and HCP Vault come in.
What does Vault offer?
Vault centralizes the management and acts a secure storage solution through encryption of these secrets. It offers encryption at rest and in transit. It also allows for access control which manages what user can access which secret. With all the different users and platforms accessing secrets, Vault provides auditing so that admins can track which user used which secret and at what time.
Dynamic secrets is another feature offered by Vault where it can destroy credentials when validity periods expire and create secrets dynamically on demand. This decreases the exposure when secrets are leaked since they will have changed by the time someone would have seen them.
Vault can also encrypt databases. This is beneficial when a database stores valuable information such as PII. It is a very versatile tool for securing virtually all kinds of data.
Final Product: Secure Secrets
HashiCorp Vault and other secret management tools are essential for any organization or team managing heavily accessed and sensitive data. Using a tool like Vault saves teams plenty of people from having their applications hacked or sensitive data leaked due to human or process error. Constantly changing secrets and managing the fine-grained permissions of who can access them ensures an organization and their client's safety which protects from financial loss and potential litigation.
Thanks for reading!