DEV Community

Anand Vikkath
Anand Vikkath

Posted on

Secret Engines

#vault #hashicorp #secretmanager

What are Secret Engines

Secret engines are pluggable, modular components of HashiCorp Vault responsible for managing secrets such as passwords, tokens, certificates, or API keys.

Each HashiCorp Vault secret engine is purpose-built to address a specific need or integrate with a particular platform or service. Each engine is tailored to optimize security and efficiency for the environment it supports.

This modular approach to its secret engine system helps the HashiCorp Vault to integrate seamlessly into a wide variety of infrastructure setups, providing a comprehensive solution for secure secrets management.

How do Secret Engine handle secrets

Secret engine manages the secrets through Create, Read, Update, and Delete (CRUD) operations at the very basic level. In some cases, in addition to CRUD operations, it also support encryption service of the secrets without storing them in the vault.

Path - Navigate and Organize Secrets

Paths provides a logical and hierarchical structure to organize and access secrets. A path can be used to identify a secret engine like aws/ or kv/ or database/. It can identify a specific role under a secret engine. For example aws/appadmins/app1). It can also represent an individual secret like kv/userpasswords/password1.
By using Path as a design parameter, HashiCorp Vault organizes the resources in a systematic manner which improves clarity and enables fine-grained access management.

Two types of Secret engines

Not all secrets are created equal. Some secrets such as API keys, certificates, or passwords, that are generated and managed outside of Vault . In many scenarios, it is more secure and efficient to generate credentials on demand.
To address these diverse needs, HashiCorp Vault provides two distinct approaches through its static and dynamic secret engines.

  • Static Secrets are pre-existing credentials or sensitive information, such as API keys, certificates, or passwords, that are generated and managed outside of Vault. These secrets need a secure place to be stored, accessed, and managed. A static secret engine provides centralized storage, strict access control, and auditing capabilities. This is crucial for environments where credentials are long-lived and must be shared securely among users or applications.

  • Dynamic Secrets are temporary and have a limited lifespan, minimizing the risk of compromise. For example, instead of relying on a static database password, Vault can generate unique credentials for each application or user session. These secrets are automatically revoked after their lease period, ensuring enhanced security and reducing administrative overhead for manual credential rotation.

By dividing secret management into these two types of engines, Vault ensures a tailored approach for handling both pre-existing and on-demand credentials. This separation not only enhances security but also streamlines operations, enabling organizations to meet specific requirements without compromising on efficiency or safety.

KV (Key-Value) Secret Engine (Static)

The KV (Key-Value) Secret Engine in HashiCorp Vault is a type of static secret engine designed for securely storing and managing simple key-value pairs. As a static secret engine, it handles pre-existing secrets, such as API keys, passwords, or configuration settings, that are generated and maintained externally. The KV engine provides a centralized repository for these secrets, allowing users and applications to access sensitive data securely. Key features of the KV secret engine include access control through Vault policies, data encryption at rest and in transit, and audit logging to track access and usage. These capabilities ensure that secrets stored in the KV engine are securely managed and easily accessible to authorized users, making it a reliable and versatile tool for managing static secrets in modern infrastructure.

The KV engine operates in two versions: KV v1 and KV v2

KV v1

  • No versioning for keys
  • Non recoverable
  • Reduced storage size
  • Better performance

KV v2

  • Support versioning
  • Support soft-delete of keys

AWS Secret Engine (Dynamic)

The AWS Secrets Engine in HashiCorp Vault is a dynamic secret engine designed to generate ephemeral or short-lived AWS credentials on demand. This engine dynamically creates short-term AWS access keys for specific roles or policies. This approach enhances security by ensuring that credentials are temporary and automatically revoked after their lease period expires.

How it works?

An AWS Secrets Engine communicates with AWS account by using API credentials that are provided during setup of the AWS secret engine. These credentials typically belong to an AWS IAM user or role with permissions to create and manage temporary access keys.

In Vault, you can create roles that link to specific AWS IAM policies. These roles define what level of access the generated credentials will have. For example, a role can allow read-only access to an S3 bucket, full administrative rights for EC2, or any other set of permissions needed for AWS resources.

When an application or user requests access via this engine, Vault dynamically generates a unique set of credentials (an access key and a secret access key) based on the predefined role. These credentials are tied to the permissions of the mapped IAM policy. Importantly, the credentials are ephemeral, meaning they come with a limited lease time, which is configured during setup. Once the lease expires, Vault ensures the credentials are automatically revoked, removing access to the AWS resources. This reduces the security risks associated with long-lived static credentials, such as misuse or accidental exposure.

Key advantages

  • Automatic credential lifecycle management
  • Fine-grained access control
  • Audit logging of credential issuance and usage

By leveraging this dynamic engine, organizations can simplify AWS credential management while improving security and reducing administrative overhead.

Demo

Enable AWS engine in vault

  • GUI Secret Engines --> Enable new engine --> AWS
  • CLI vault secrets enable aws

Create user in AWS to connect from vault

AWS Console --> IAM --> Users --> Create User
Add the required permission for the user (Administrator in this case)
Generate Access key for the AWS user

Add the AWS user into the vault

  • GUI Secret Engines --> aws/ --> Configuration
  • CLI vault write aws/config/root access_key=<User Access Key> secret_key=<User secret>

Configure a vault role that maps to a set of permissions in AWS

vault write aws/roles/EC2Admin_Rolefromvault credential_type=iam_user policy_document=@policy.json

Generate the credentials

vault read aws/creds/EC2Admin_Rolefromvault

Top comments (0)