Secrets Management at Deployment Time with HashiCorp Vault and Waypoint

I presented this talk at HashiConf Global in 2021 and always intended to write it as a blog, finally getting around to it.

In this blog post, we will discuss how HashiCorp Vault and HashiCorp Waypoint can be used together to manage secrets during application deployment. In addition to secret management, Vault provides excellent auditability, which can help with tracking down who used what secret and meeting compliance requirements.

Understanding Secrets and Ephemeral Credentials

A secret is a piece of sensitive information, such as API keys, passwords, or certificates, that should be kept confidential and secure. An ephemeral credential is a temporary and time-limited secret, such as a service account token, that is automatically revoked after its time-to-live (TTL) expires.

Vault’s Dynamic Secrets Engine generates ephemeral credentials, providing temporary access to resources like databases and cloud providers. It allows users to create and manage short-lived, automatically revoked secrets on demand.

HashiCorp Vault and Waypoint Overview

HashiCorp Vault is a secrets management tool that helps secure, store, and manage sensitive data. It enables fine-grained access control and robust audit logging to ensure that secrets remain secure.

HashiCorp Waypoint is a platform for building, deploying, and releasing applications. It allows developers to define deployment workflows, automate processes, and integrate with other tools like Vault.

Waypoint’s Vault plugin allows it to communicate with Vault, enabling dynamic secret generation and management during application deployment. The plugin also provides additional features such as audit logging, making it easier to meet compliance requirements.

Vault’s Dynamic Secrets Engine

With Vault’s Dynamic Secrets Engine for Google Cloud Platform (GCP), Vault can create a service account, assign the correct IAM roles, set a TTL, and then revoke the service account when it expires. Users with appropriate Vault roles and policies can retrieve these credentials.

Workflow Example: Vault and Waypoint Integration

When an application is deployed, Waypoint communicates with Vault to generate a credential on-demand, use it for the app, and then manage it throughout the lifecycle. This includes revoking access to all secrets in the event of a breach.

The integration of Vault and Waypoint demonstrates an excellent example of secrets management at deployment time because:

1. It is fully automated, with no manual credential generation.
2. Developers never directly handle the secrets or credentials.
3. Waypoint acts as a broker, making the secret available only to the app through a Waypoint environment.

Enabling the Vault Plugin on Waypoint

To enable the Vault plugin on Waypoint, use the following command:

waypoint config source-set -type=vault \
        -config="auth_method=kubernetes" \
        -config="auth_method_mount_path=auth/kubernetes" \
        -config="addr=${VAULT_ADDR}" \
        -config="kubernetes_role=waypoint" \
        -config="skip_verify=true"

Waypoint App Configuration with Vault Integration

Here is an example of a Waypoint app configuration that highlights the Vault integration:

project = "hello-creds"

config {
  env = {
    "DATABASE_USERNAME" = configdynamic("vault", {
      path = "database/creds/my-role"
      key  = "username"
    })

    "DATABASE_PASSWORD" = configdynamic("vault", {
      path = "database/creds/my-role"
      key  = "password"
    })
  }
}

app "hello-creds" {
  labels = {
    "service" = "hello-creds",
    "env"     = "dev"
  }

  build {
    use "pack" {
    builder = "gcr.io/buildpacks/builder:v1"
  }
  registry {
    use "docker" {
      image = "gcr.io/arc-marc-sandbox/hello-creds"
      tag = "latest"
      local = false
    }
  }
}

  deploy {
    use "kubernetes" {
      namespace = "hello-creds"
    }
  }
  release {
    use "kubernetes" {
      load_balancer = true
      namespace = "hello-creds"
    }
  }

}

This example demonstrates how Waypoint and Vault integration enhances secrets management during the deployment process. It’s a great way to improve security, ensure compliance, and automate credential management.

Conclusion

Thank you for reading this blog post. If you would like to see the original talk given at HashiConf 2021, check it out here:

At the time of the presentation, there was a bug with the Vault dynamic secrets engine and Waypoint integration, but it has since been resolved. This integration is an excellent example of secrets management at deployment time, and we hope you find it useful in your projects.

• Secrets Management
• Security
• Kubernetes
• Waypoint
• Vault
• HashiCorp