Vault

In modern software development and operations, managing secrets - such as passwords, tokens, keys, and certificates - is critical for maintaining security and operational integrity.

Secrets must be stored securely but also be readily accessible to authorized applications and services. Vaults provide secure storage mechanisms to safely manage and access secrets.

The role of vaults

Vaults safeguard sensitive information from unauthorized access while ensuring that legitimate services can obtain necessary data without exposing it to risks. The main advantages of using vaults include:

• Encryption: Vaults encrypt stored secrets, making them unreadable to anyone without the proper decryption key.
• Access Control: Vaults control access to stored secrets through roles and policies.
• Audit Trails: Many vault solutions offer auditing capabilities to track access and changes to secrets, enhancing security and compliance.
• Secrets Rotation: Some vaults can automatically rotate secrets, reducing the risk of compromise over time.

Vault types in Ascend

Ascend provides three vault types to address different use cases in your Data Plane management:

1. Instance Vault

• Scope: Specific to an Ascend Instance
• Management: Automatically provisioned and managed by Ascend
• Implementation: Powered by AWS Secrets Manager
• Use case: Primarily designed for Instance-level configurations such as connecting to the Instance Store and storing API keys for Otto (OpenAI/Azure OpenAI)

2. Environment Vault

• Scope: Specific to an Ascend Environment (Development, Staging, Production, etc.) within an Ascend Instance
• Management: Automatically provisioned for each Ascend Environment
• Implementation: Powered by AWS Secrets Manager
• Use case: Store Environment-specific configuration such as database credentials or API tokens that vary between Environments
• Access pattern: In YAML configuration: ${vaults.environment.<secret-name>}

3. Project Vault

• Scope: Limited to a specific Ascend Project
• Management: User-defined in the Project's vaults/ directory using YAML configuration
• Implementation: Flexible - connect to AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager
• Use case: Store Project-specific secrets that don't need to be shared across different Projects
• Access pattern: In YAML configuration: ${vaults.<vault-name>.<secret-name>}

Supported vault implementations

While Ascend offers pre-configured Ascend-managed vaults by default, the platform seamlessly integrates with several external vault providers to accommodate diverse environments and security requirements:

• AWS Secrets Manager: A managed AWS solution with features like automatic rotation and integration with AWS services.
• Azure Key Vault: Manages secrets, keys, and certificates for applications deployed in Azure.
• Google Cloud Secret Manager: Provides secure, scalable secret storage for Google Cloud Platform (GCP) users.

info

See the Vault Reference for more information on how to configure and use vaults.

Choose a vault

Choose a vault based on the following factors:

• Simplicity: For the quickest setup with minimal overhead, Ascend-managed vaults provide an immediately available, pre-configured solution.
• Environment: Consider where your applications or services are hosted (on-premises, cloud, hybrid).
• Integration: Evaluate how well the vault integrates with your existing infrastructure and services.
• Security Requirements: Assess the level of security and compliance your organization needs.
• Operational Complexity: Consider the operational overhead of managing the vault, including setup, maintenance, and secret rotation.

Conclusion

Understanding different vault types and their capabilities is crucial for implementing a secure secret management strategy. Each vault offers features suited to various environments and requirements.

By carefully evaluating your options, you can ensure that your secrets - and consequently, your applications and data — are well-protected against unauthorized access.