As apps become more complex in the way they use microservices, managing API keys and other secrets becomes more challenging as well. Microservices running in containers need to transfer secrets to allow them to communicate with each other. Each of those transfers as well as the secrets being exchanged needs to be secured properly for the entire system to remain secure.
Hard-coding API keys and other secrets is definitely NOT an option. Despite the obvious nature of the previous statement, a lot of developers still expose the credentials of their microservices or apps on GitHub. Fortunately, there are tools designed to make managing secrets easier. We are going to compare the best secrets management tools in this article.
Why Manage Secrets?
Before we get to the tools, it is important to understand the critical nature of managing secrets the right way, the first reason being the very nature of cloud infrastructure. Machine-to-machine and container-to-container communications are made more seamless with tokens, API keys, and other secrets transferred in a secure way.
Secrets management also enables better management of microservices-based architecture. With CI/CD cycles becoming shorter, maintaining that ability to develop, test, and deploy microservices is critical. Better secrets management allows the entire cloud infrastructure to remain flexible and scalable without sacrificing security in the process.
The Right Tools for the Job
As mentioned before, there are a plethora of secrets management tools to choose from. Choosing the right one is a matter of understanding your specific requirements, the cloud infrastructure you use, and the kind of features you want to have.
Still, some tools stand out from the competition. At the top of our list of best secrets management tools, we have Vault by Hashicorp. Vault is an open-source tool that can be used for free. It runs from a container or a VM and can be used on any cloud platform. Vault stores secrets in a database or a filesystem and offers inbuilt encryption-as-a-service capability.
Since Vault isn’t tied to a specific platform, it can also be used in a multi-cloud setup. The only real challenge is securing the VM on which Vault runs. This means utilizing the tool’s access management features to make sure that only authorized parties have access to secrets.
Next, we have AWS Secrets Manager. This is a paid service that is part of the Amazon Web Services ecosystem. As expected, AWS Secrets Manager integrates really well with the rest of Amazon services. For example, access management is automatically handled by IAM, though it is configured by the user. Automatic API keys rotation and seamless integration with AWS KMS are among the features offered by this tool.
For those utilizing the AWS ecosystem, AWS Secrets Manager is a fantastic secrets management tool to use. Seamless integration with other Amazon services means you can automate tasks such as rotating API keys periodically easily. You don’t even have to worry about storage for your secrets.
Google Cloud Platform’s Cloud KMS is the next tool on our list. This one is not a secret management per se. Instead, it is for cryptographic key management and it can be used in conjunction with cloud storage. It works with Cloud IAM and Cloud Audit Logging out of the box, plus it is incredibly scalable. Access control is one of the strong suits of this tool, specifically because you can be very granular with how you manage permissions down to individual keys.
There are some interesting features offered by Cloud KMS. Its highly available nature makes it interesting for developers and enterprise users alike. Automated and manual key rotations are also supported, with support for multiple versions making the tool more appealing.
Alternatively, you can optimise Berglas, GCP’s open-source tool and the equivalent of AWS KMS. Use Berglas to encrypt secrets in a bucket as well as store and retrieve them on the platform.
In comparison, Keywhiz, a secrets management tool built by Square, focuses on user-friendliness. It has features like automation APIs over mTLS supporting its users. Similar to Vault, Keywhiz also supports multiple applications and multi-cloud environments, all without forcing you to jump through hoops to set up a secure secrets management platform.
Last, but certainly not least, we have Microsoft Azure Key Vault. It is a service that integrates the management of secrets—including passwords and strings—into one easy-to-use platform. It also combines secrets management, key management, and certificate management into one platform, so you can organize securing sensitive information using a single tool.
Choosing a Secrets Management Tool
That brings us back to the initial question: which secrets management tool is the best? Vault may be the most platform-agnostic on the list, but tools offered by cloud service providers integrate better into services within the same ecosystem.
Choosing the right tool to use is a matter of finding one that suits your specific requirements (and the requirements of your apps) best. There is no one tool fits all scenario. The insights found in this article though should help as a foundation for identifying the best tool for your apps.
Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.