Skip to main content
HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
FAQ

What does Dev, Ops, and Security do in a Vault rollout?

Learn which roles handle Vault tasks including ACLs, governance, auditing, architecture, performance, maintenance, and more.

Speakers

Transcript

As you're rolling out Vault, there's gonna be a number of personas that are involved, and so if you are a company that's looking to adopt modern automation tooling, you're likely gonna want a modern secrets management system. This moves away from the privilege access management (PAM), and more into the, "How do I access secrets in the cloud?" "How do I access secrets at high-scale?" "How do I do so without a human involved?"

There are a number of different teams that will be involved throughout this journey. We'll start with the development team.

Development team

The development team is the consumer of those secrets. So, what you'll need is the application developer that's actually going to be writing the code that's going to interact with those secrets, and make the decision of, "Do we want to use libraries, do we want to have that native to the application? Do we want to use helper tools that can place those secrets on the system for them?" And, as you go through that conversation, you can really understand what the amount of effort it's gonna take for them to actually consume those secrets.

Operations team

The second team is gonna be the operations team, and you'll need someone on that team, that's able to make architectural decisions on how you're gonna roll Vault out. That takes into consideration resiliency, it takes into consideration the different pieces that you'll need to ensure that a secrets management solution stays online.

When you have things like dynamic secrets, those secrets are gonna expire, so you wanna ensure that that system is always available to the consumers, which are your developers. So you gotta think about secret locality. If I have multiple data centers, or multiple clouds, it's ensuring that Vault is gonna be available and up no matter what happens. If there's a network severance, or there happens to be one part of one AZ (availability zone) that goes down, it's ensuring that your operational readiness is to a point where you can take catastrophes, and take failures, and still be fine in the end.

That's gonna be an architect, as you design that solution, and it's gonna be the operations team that's actually gonna roll it out, and they're gonna be the ones that are actually creating the different automation tooling, regardless of what tool you choose, to ensure that Vault is at a state where it's available.

Security team

The last one is the security team, and the security team is traditionally the people who are making the decisions on what you can and cannot do. They're close to the auditors, they're close to the different folks higher up, or wherever it may be, that are ensuring that you as a company are secure, and you're doing the right thing by consumers of that company.

By having them involved, you can ensure that you're following what it is your auditors are asking you to do, and they can set up the governance around this solution, whether it be through ACLs (Access Control Lists) or even governance on top of that, to guarantee that the way that you've implemented this solution is safe, because they are the ones that understand how everything should be governed.

More resources like this one

4/11/2024FAQ

Introduction to HashiCorp Vault

Vault identity diagram
12/28/2023FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

3/14/2023Article

5 best practices for secrets management

2/3/2023Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones