A Vault Tutorial. Part 7

Published: Feb 12, 2019 by Isaac Johnson

Up until now we’ve just covered Hashi Vault in it’s Open Source form.

Vault is a rock solid product, one of the few in Hashi’s lineup that’s reached the pinnacle of full-version-hood, going to 1.0 in December of this year.

The free version is excellent and many Enterprise features will make their way to OSS. For instance, the UI mode was an Enterprise feature until Vault 1.0.

However, as solid as the OSS version is, there are features as Enterprises scale that make the Enterprise offering make more sense.  A full feature break down here: https://www.hashicorp.com/products/vault/enterprise

Some key features of Enterprise:

  • Sentinel , the killer policy enforcement tool from Terraform is available in Vault Enterprise Premium
  • Replication for cross-cloud/hybrid-cloud deployments as well as HSM Auto-unseal provides real HA/DR.
  • Control Groups and MFA can further tighten security around secrets
  • Read Replicas can help organizations scale (for instance on large transactional databases or massive distributed microservice mesh networks)

Pro versus Premium

Pro brings all the features of OSS along with Namespaces and DR failover.

Premium is the next step up with all the features (including AWS/Azure/GCP auto-unseal features).

Premium is also Highly Available with Consul allowing for Leader Election with Standby.

Enterprise Feature Demo: Namespaces

Creating - you can have child namespaces

You can then use a policy.hcl to set access policies.

Using them just requires either the VAULT_NAMESPACE environment variable or passing with -path=namespace or -namespace= (depending on command)

D:\Vault>vault namespace create projectA

D:\Vault>vault namespace create -namespace=projectA buildCreds

D:\Vault>vault namespace list
projectA/

D:\Vault>vault namespace -namespace=projectA
buildCreds/


D:\Vault>vault policy write -namespace=projectA projA-admin projA-admin.hcl


D:\Vault>set VAULT_NAMESPACE="projectA/buildCreds"
tutorial vault

Isaac Johnson

Isaac Johnson

Cloud Solutions Architect

Isaac is a CSA and DevOps engineer who focuses on cloud migrations and devops processes. He also is a dad to three wonderful daughters (hence the references to Princess King sprinkled throughout the blog).

Theme built by C.S. Rhymes