Microservices and Secrets Management — Comparison of Vault Solutions

Abhimanyu Garg
Oct 30, 2019 · 3 min read
Image for post
Image for post

Most common entities that need to be secured in microservices based applications are -

  • Database credentials
  • Cross service credentials / tokens
  • API keys and Access Tokens
  • SSL/TLS certificates
Image for post
Image for post

In Monolithic model, secrets are usually stored in code, config files or data tables etc. This causes huge security risk as secrets can easily get compromised. Moreover there is no centralization of secrets which makes secrets rotation very complex and time taking.

With Microservices, there is a need for centralized secrets management solution which can handle the security challenges with minimum intervention.

Requirements not limited to -

  • Secure storage of different secret types like tokens, creds, certificates etc.
  • Key Rotation
  • Data Encryption
  • Versioning
  • Full Audit logging
  • REST APIs (for easy integration and automation)
  • Fine grained Access Control

There are multiple Vault solutions from different cloud provides like (Azure Key Vault, AWS KMS, GCP KMS etc) and open source products like Hashicorp Vault which offer rich features for secrets management.

Lets do a comparison for some of the most widely used Vault solutions — Azure Key Vault, Hashicorp Vault and Kubernetes Secrets.

This is effectively a Hashicorp Vault vs Azure Key Vault comparison but we have also included Kubernetes Secrets as it comes inbuilt with Kubernetes cluster and can be considered for some use cases.

Comparison of Vault Solutions from Operations Point of View-

Documentation Links -

Hashicorp Vault : Link to Documentation

Azure Key Vault : Link to Documentation

Kubernetes Secrets : Link to Documentation

Feature Comparison -

Conclusion

Azure Key Vault on the other hand is completely managed by Azure and is one if its tier 1 services. So as a user you only have to worry about its integration and forget about everything else.

If you go with Hashicorp Vault Enterprise then the cost difference between Azure Key Vault and Hashicorp Vault can be significant. Hashicorp Vault Licensing model is quite complex and high on cost. Hashicorp Vault Enterprise costs around $300K per cluster while Azure Key Vault costs only around $0.03/10,000 transactions.

Kubernetes Secrets is a built in service of Kubernetes and requires no additional operations effort. It has its own limitations as mentioned in the comparison.

Let us know about your experience and views on secrets management and vault solutions in comments.

Checkout more articles on Microservices.

Vault High Availability Architecture.

Originally published at https://www.techmanyu.com on October 30, 2019.

TechManyu

TechManyu is a great platform to share your technical…

Abhimanyu Garg

Written by

Cloud and DevOps Professional with keen interest in System Design & Architecture. SRE | MultiCloud | Kubernetes (CKA) | Microservices | Automation | Ops

TechManyu

TechManyu

TechManyu is a great platform to share your technical knowledge and expertise to help millions of other developers and technical guys out there. Building an interactive community is our ultimate goal through which everyone can share and benefit at the same time. www.techmanyu.com

Abhimanyu Garg

Written by

Cloud and DevOps Professional with keen interest in System Design & Architecture. SRE | MultiCloud | Kubernetes (CKA) | Microservices | Automation | Ops

TechManyu

TechManyu

TechManyu is a great platform to share your technical knowledge and expertise to help millions of other developers and technical guys out there. Building an interactive community is our ultimate goal through which everyone can share and benefit at the same time. www.techmanyu.com

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store