Microservices and Secrets Management — Comparison of Vault Solutions
Most common entities that need to be secured in microservices based applications are -
- Database credentials
- Cross service credentials / tokens
- API keys and Access Tokens
- SSL/TLS certificates
In Monolithic model, secrets are usually stored in code, config files or data tables etc. This causes huge security risk as secrets can easily get compromised. Moreover there is no centralization of secrets which makes secrets rotation very complex and time taking.
With Microservices, there is a need for centralized secrets management solution which can handle the security challenges with minimum intervention.
Requirements not limited to -
- Secure storage of different secret types like tokens, creds, certificates etc.
- Key Rotation
- Data Encryption
- Full Audit logging
- REST APIs (for easy integration and automation)
- Fine grained Access Control
There are multiple Vault solutions from different cloud provides like (Azure Key Vault, AWS KMS, GCP KMS etc) and open source products like Hashicorp Vault which offer rich features for secrets management.
Lets do a comparison for some of the most widely used Vault solutions — Azure Key Vault, Hashicorp Vault and Kubernetes Secrets.
This is effectively a Hashicorp Vault vs Azure Key Vault comparison but we have also included Kubernetes Secrets as it comes inbuilt with Kubernetes cluster and can be considered for some use cases.
Comparison of Vault Solutions from Operations Point of View-
Documentation Links -
Hashicorp Vault : Link to Documentation
Azure Key Vault : Link to Documentation
Kubernetes Secrets : Link to Documentation
Feature Comparison -
Hashicorp Vault is currently a market leader in vault solutions and has the most comprehensive feature coverage. The biggest challenge with Hashicorp Vault is to operate and manage it. As a user you are responsible to setup, maintain HA, backup, scalability etc which can take quite some operations effort.
Azure Key Vault on the other hand is completely managed by Azure and is one if its tier 1 services. So as a user you only have to worry about its integration and forget about everything else.
If you go with Hashicorp Vault Enterprise then the cost difference between Azure Key Vault and Hashicorp Vault can be significant. Hashicorp Vault Licensing model is quite complex and high on cost. Hashicorp Vault Enterprise costs around $300K per cluster while Azure Key Vault costs only around $0.03/10,000 transactions.
Kubernetes Secrets is a built in service of Kubernetes and requires no additional operations effort. It has its own limitations as mentioned in the comparison.
Let us know about your experience and views on secrets management and vault solutions in comments.
Checkout more articles on Microservices.
Originally published at https://www.techmanyu.com on October 30, 2019.