Skip to main content
HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
FAQ

What application should I secure with Vault first?

For your first Vault test run, and to prove its value quickly, HashiCorp solutions engineering VP Jon Benson has some advice on how to identify a good first candidate for Vault.

Speakers

Transcript

You've got Vault set up. It's stood up, and you're wondering, "How is it that I start interacting with it? What's the best way to actually get the value out of the secrets management solution that I just implemented?" And the best way to look at it is taking an application that is exposed right now. Maybe it has it's sitting in GitHub or your version control system. So you wanna say, "What are the steps I take to solve that?" It could be any type of app, but you wanna look for one that you're able to move quickly and get some quick wins with.

It doesn't have to be a big monolith. It could be a microservice or something that is greenfield, brownfield, or whatever it may be. It's whatever your biggest threat right now is, because you're more willing to move quickly with whatever that app may be. As you look to solve for secrets management with that application, what you wanna do is make it as seamless for the developer as possible. There are different helper tools that can enable you to grab secrets from Vault, place them on a file system, and allow the application to consume them right away.

If they don't wanna have the high-touch integration of libraries where, yes, it's a bit more safe, but you really just wanna start rotating your secrets at a quicker pace—what you can do is, adopt a tool like Consul Template or Envconsul. And what they will do is inject those secrets into the environment that the applications are already looking at. So if they have a configuration file that's sitting on disk, what we can do is set up these tools to automatically fetch the credentials that they need. You create a template. It throws them on the file system that the app is already looking at, and then you can run an orchestration command thereafter.

Additional advice from Dan Brown, director of enterprise architecture at HashiCorp:

"The best first-candidate applications for Vault span the fewest teams. A smaller committee around the application results in fewer approval roadblocks and less time spent synchronizing across teams."

More resources like this one

4/11/2024FAQ

Introduction to HashiCorp Vault

Vault identity diagram
12/28/2023FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

3/14/2023Article

5 best practices for secrets management

2/3/2023Case Study

Automating Multi-Cloud, Multi-Region Vault for Teams and Landing Zones