Professional Documents
Culture Documents
- Uses AWS
- Supports versioning
- Integrates tools like ansible
- Dependent on IAM policies on AWS
Things needed from management perspective
● Audit
● Leasing and renewal
● Developer friendly
● Devops friendly
● Role based
● External Connectivity - Authentication
● On-Prem
● Support
● Policies
● Dynamic Secrets
● Scalable and High availability
Vault (Hashicorp)
- Secure K/V Store
- Cubbyholes where only the token bearer can access the data. Not even
system/Vault administrators can access them.
- Dynamic secrets. Vault will create accounts and credentials for you in
databases and cloud IAMs. You can also tie these to highly configurable
leases and access policies. (Eg. Want to grant someone read-only access to
your Cloudwatch for 10 minutes and have those keys automatically removed
from the system)
PKI engine to do one click/API call certificate generation. Also with highly
configurable TTLs
SSH CA authority. Similar to PKI but for signing SSH certs. Of course, with highly
configurable TTLs. Want to let someone logon to a set of servers for 5 minutes
without managing their keys on the servers?
Control Groups to only allow access to secrets after N approvals have been met.
Sentinel Policy as Code for highly configurable access rules based on metadata
(e.g. only allow access to a set of secrets from 10AM-6PM if requests come from
192.168.42.0/24)
Pluggable architecture.
Cloud agnostic. You can run it anywhere, laptop, on-prem datacenter, AWS,
Azure, GCP, Alibaba...etc.
High Level Spec Hashicorp Vault Credstash Cyberark Conjur
Auditable Y Y
Policies Y Y
Dynamic Secrets Y Y
AWS integration Y Y
GCP integration Y Y
Azure integration Y Y
Other
Cyberark - conjur
https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd