Today at HashiDays, HashiCorp launched the public beta for a new offering on the HashiCorp Cloud Platform: HCP Vault Secrets. HCP Vault Secrets is a new Software-as-a-Service (SaaS) offering of HashiCorp Vault that focuses primarily on secrets management, enables users to onboard quickly, and is free to get started.
In this post, we’ll look at the customer feedback that led to the creation of HCP Vault Secrets and we’ll cover some of its unique features and differences compared to HCP Vault.
Remediate secret sprawl quickly
As organizations have grown their usage of cloud and SaaS services, they face new challenges around managing security. In dynamic environments, there are more systems to manage, more endpoints to monitor, more networks to connect, and more people who need access. The potential for a breach increases significantly — making the need to adopt the right security posture while maintaining development agility even more important.
HashiCorp heard from their customers that secret sprawl and improving security posture while still maintaining developer agility are the biggest challenges they are facing. Different teams end up using different tools to store and manage secrets across multiple environments, creating challenges around common access management, remediating leaked secrets quickly, and not having a unified view of the secret lifecycle.
They created HCP Vault Secrets as a SaaS service to enable development teams to centralize their secrets management and set up a unified view of their secrets and applications in minutes, while still maintaining their development workflows with their existing cloud secrets managers, CI systems, and deployment services. HCP Vault Secrets is focused solely on secrets management, allowing centralized platform engineering teams to focus on strengthening their secrets management security posture without compromising on development agility.
HCP Vault Secrets offers both a pull model and a push model for getting secrets into the development workflow. With the push model, platform teams can set up secret synchronization from HCP Vault Secrets, and application development teams can continue iterating with their existing workflows without major interruptions. With the pull model, development teams can inject application secrets into their local application deployment workflows ensuring all secrets, including local development secrets, are centralized in HCP Vault Secrets.
HCP Vault Secrets sharpens the focus on secrets management
HCP Vault Secrets is a managed Vault offering focusing on secrets management for developers across three key areas:
- Centralizing secrets
- Syncing secrets
- Developer flexibility
HCP Vault Secrets centralizes secrets lifecycle management into one place, so users can eliminate context switching between multiple secrets management applications. We are introducing a new domain model with the concept of applications that are used to logically group secrets. This structure allows organizations to intuitively map their secrets within HCP Vault Secrets as well as easily scale the growth of secrets while not compromising on the discoverability of secrets.
With secrets sync, users can synchronize secrets when and where they need them and continually sync secrets from HCP Vault Secrets to external secrets managers like AWS Secrets Manager so they are always up to date. HCP Vault Secrets will initially integrate with AWS Secrets Manager, with more integrations planned for later in the public beta period.
HashiCorp built HCP Vault Secrets to prioritize developer flexibility. With HCP Vault Secrets, developers can fetch secrets from any interface (CLI, TF, API, or UI), inject secrets into applications at runtime without code changes, and use the native HCP authentication methods across all interfaces.
Centralized secrets lifecycle management
The centralized secrets lifecycle management enabled by HCP Vault Secrets lets developers:
- Increase security across clouds and machines: Reduce the risk of breaches by centralizing where secrets are stored and reducing the context switching between multiple solutions that can lead to human error.
- Increase productivity: Development teams can improve their security posture without expending additional time and effort
- Enhance visibility of secrets activity across teams: Get insight into when secrets are modified or accessed by whom, when, and from where with advanced filtering and storing capabilities
- Comply with security best practices: Fully managed deployment means your instance is always up to date and in line with security best practices — no more manual upgrades
- Last-mile secrets availability for developers: Keep secrets centralized in HCP Vault Secrets while syncing secrets to existing platforms and tools, including cloud service providers (starting with AWS Secrets Manager), so that developers can access secrets where they need them
HCP Vault Secrets is fully managed by HashiCorp and available on the HashiCorp Cloud Platform, allowing users to get up and running quickly — they can sync their first secret in minutes.