HashiCorp Products Used
- Eliminated secret sprawl and improved visibility across systems
- Automated secret rotation to minimize security risks
- Secured 2 million monthly builds and backend secret reads
- Enhanced scalability with Vault's extensibility features
- Reduced operational disruption with a seamless, phased migration
Canva is a global online visual communications platform on a mission to empower the world to design. Used by over 90% of Fortune 500 companies across 190 countries, Canva stands out as the leader in accessible, user-friendly graphic design solutions.
When we were looking for a solution, one of the things we really cared about was extensibility, and Vault really shines on this. It's really pluggable, with the ability to develop custom auth engines and secrets engines, which means the runway is unlimited.
- Anthony Ralston, Senior Software Engineer, Cloud Security, Canva
Canva is a global online visual communications platform on a mission to empower the world to design. Used by over 90% of Fortune 500 companies across 190 countries, Canva stands out as the leader in accessible, user-friendly graphic design solutions.
As a SaaS company serving both B2B and B2C clients, Canva relies on numerous APIs, databases, and services that require secure management of access credentials. The sheer scale of its customer base (over 170 million monthly users) demands a sound infrastructure that can support millions of monthly secret reads.
Secrets used to be sprawled across multiple stores, compromising visibility and multiplying security risks. This decentralized approach to secrets management created significant manual overhead that made scaling IT operations challenging.
To address this, Canva implemented HashiCorp Vault to centralize and automate secrets management. It took an iterative approach and started by migrating its build systems to Vault, integrating a custom authentication plugin for Buildkite agents using OIDC. This ensured agents had short-lived, pipeline-specific access to secrets, significantly enhancing security posture. Following this success, Canva expanded Vault usage to its backend systems, seamlessly migrating 80% of them. Vault currently vends secrets for two million builds a month and fields two million secret reads for Canva backends.
Outcomes
Eliminated secret sprawl and improved visibility across systems
Automated secret rotation to minimize security risks
Secured 2 million monthly builds and backend secret reads
Enhanced scalability with Vault's extensibility features
Reduced operational disruption with a seamless, phased migration
Canva Partner
Anthony Ralston Senior Software Engineer, Cloud Security Canva
Anthony Ralston is a software engineer for the Cloud Security team at Canva. The team is responsible for the roll out of HashiCorp Vault and has been on a mission to migrate all static secrets and make them dynamic over the last two years.