Infrastructure tooling provider HashiCorp gave its Vault an overhaul, upping the ante on multi-tenancy, and performance for 0.11 release. But since you get what you pay for, enterprise users will be the ones profiting the most from the update.
Vault is HashiCorp’s tool for storing and securing assets such as access tokens, certificates, passwords, and everything else that should stay secret. It also handles leasing, revocation of keys, key rolling, and stores an audit log of all authenticated client interaction.
Newly available version 0.11 includes a new mode for the Vault binary. The so-called Vault Agent can be used to automatically handle the secure introduction and rotation of a system’s access tokens. Once updated, policies can also use access control list templates to refer to entities, identities groups, and metadata within policies.
Users interested in mapping Vault roles to one or more Azure roles can do so via a dedicated plugin. The Azure secrets engine can dynamically generate Azure service principals and role assignments. Service principals are associated with Vault leases, and get deleted, once the lease expires.
Vault 0.11 also comes with tooling to let users login with Alibaba Cloud credentials or dynamically generate those to access the cloud offering’s infrastructure. Alibaba Cloud storage targets can now also serve as storage backends.
Vault users with an enterprise package (pricing available on request only) can access a new node type. So-called Performance standby nodes are similar to High Availability standby nodes, but serve read-only requests from users or applications within single clusters for better scalability. Enterprise Premium users can look forward to finding a selection of “Performance Standbys” available to them, although they seem to be add-able to Pro infrastructures as well.
Another new enterprise feature are Namespaces. With their help users are able to create isolated environments for multi-tenancy within their infrastructure. Their introduction lets users and applications create seperate versions of secret engines, authentication methods, identities, policies, and tokens. Like that separate environments for different teams can be established.