Published: Feb 12, 2019 by Isaac Johnson
Up until now we’ve just covered Hashi Vault in it’s Open Source form.
Vault is a rock solid product, one of the few in Hashi’s lineup that’s reached the pinnacle of full-version-hood, going to 1.0 in December of this year.
The free version is excellent and many Enterprise features will make their way to OSS. For instance, the UI mode was an Enterprise feature until Vault 1.0.
However, as solid as the OSS version is, there are features as Enterprises scale that make the Enterprise offering make more sense. A full feature break down here: https://www.hashicorp.com/products/vault/enterprise
Some key features of Enterprise:
- Sentinel , the killer policy enforcement tool from Terraform is available in Vault Enterprise Premium
- Replication for cross-cloud/hybrid-cloud deployments as well as HSM Auto-unseal provides real HA/DR.
- Control Groups and MFA can further tighten security around secrets
- Read Replicas can help organizations scale (for instance on large transactional databases or massive distributed microservice mesh networks)
Pro versus Premium
Pro brings all the features of OSS along with Namespaces and DR failover.
Premium is the next step up with all the features (including AWS/Azure/GCP auto-unseal features).
Premium is also Highly Available with Consul allowing for Leader Election with Standby.
Enterprise Feature Demo: Namespaces
Creating - you can have child namespaces
You can then use a policy.hcl to set access policies.
Using them just requires either the VAULT_NAMESPACE environment variable or passing with -path=namespace or -namespace= (depending on command)
D:\Vault>vault namespace create projectA
D:\Vault>vault namespace create -namespace=projectA buildCreds
D:\Vault>vault namespace list
projectA/
D:\Vault>vault namespace -namespace=projectA
buildCreds/
D:\Vault>vault policy write -namespace=projectA projA-admin projA-admin.hcl
D:\Vault>set VAULT_NAMESPACE="projectA/buildCreds"