Hashicorp Posted December 16, 2020 Share Posted December 16, 2020 We are pleased to announce an update to the HashiCorp Vault on Amazon EC2 and HashiCorp Vault on Amazon EKS quick start guides. AWS quick start guides are built by AWS solutions architects and partners to help users deploy technologies on AWS, based on AWS best practices for security and high availability. The Vault guide helps users learn and implement an open-source HashiCorp Vault cluster in an AWS environment. This guide has been updated to include the latest version of Vault and incorporates important features that have been added since the previous version of this guide was published. In this blog, we’ll explain which features have been added to the guide and the benefits they provide. Integrated Storage with Raft Consensus Algorithm Integrated Storage is a storage engine built into Vault, removing the need for configuring and managing additional storage backends or services, and simplifying deployment and operations of production Vault clusters significantly. Vault’s integrated storage that is deployed in this guide provides users with data consistency. Unlike other storage backends, Integrated Storage does not operate from a single source of data. Instead all the nodes in a Vault cluster will have a replicated copy of Vault's data. Data gets replicated across all the nodes via the Raft Consensus Algorithm. AWS KMS Backend for Vault Auto-Unseal Vault’s auto unseal capabilities were introduced in the 1.0 release. When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on Vault, it must be unsealed. Vault’s auto-unseal feature delegates the unsealing process to AWS KMS. This guide deploys a Vault cluster with auto-unseal turned on via AWS KMS. This feature enables operators to delegate the unsealing process to AWS KMS to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters. For more information about Vault’s auto-unseal with AWS KMS, follow the Learn guide. AWS ACM Private CA for Load Balancer Vault’s 1.6 release included support for the AWS Certificate Manager (ACM) Private Certificate Authority. Vault users now have the ability to leverage ACM Private CA as its Certificate Authority provider for providing and managing root and intermediate certificates for performing certificate signing operations. In the case of this guide, users will secure incoming traffic to the VPC through an application load balancer, deployed with the guide, with a certificate from ACM Private CA. If users have another trusted Certificate Authority that they are using, there is also an option to provide a different Secure Sockets Layer (SSL). Implementing this trusted connection point is a critical component of enabling AWS’s autoscaling capabilities. Helm Chart Support on Amazon EKS Control Plane (Vault on Amazon EKS) HashiCorp Vault on Amazon EKS quick start guide is designed to deploy a Vault cluster via Vault helm chart. The deployment wizard supports a number of advanced options to customize the installation such as the number of server pods and clients. This guide deploys Amazon EKS as a base layer, then it deploys Vault via helm chart with industry best practices for deploying Vault on Amazon EKS. For more information visit Vault on Kubernetes Deployment Guide and Vault on Kubernetes Reference Architecture. Next Steps These guides were updated in collaboration with the quick start team at AWS. They make it simple for users to get started using Vault for the first time or for deploying it into their existing environment. The goal for updating these guides is to ensure that users are aware of the latest features that Vault is offering. To get started using this guide, visit the Quick Start pages: HashiCorp Vault on Amazon EC2 and HashiCorp Vault on Amazon EKS. For more information about Vault, please visit our product page. View the full article Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.