Skip to Main Content
Skip to Navigation
Accessibility Statement
Home Cloud Private cloud Products and tools Vault Secrets Management

Vault Secrets Management

Vault Secrets Management provides a secure way to store and manage database credentials, API tokens and other sensitive application information in the B.C. Government Private Cloud PaaS.

Last updated on

On this page

What is Vault

HashiCorp Vault is a secrets management tool that lets you securely store, manage and access application secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords or certificates. 

Store your secrets in a secure central location and easily add or change access controls. Vault also keeps a detailed audit log, which tracks every authenticated interaction with Vault, including errors. 

This implementation of Vault has a double redundancy. The primary Vault instance runs in the Gold OpenShift cluster in the Kamloops data centre. The Vault disaster recovery instance is deployed in the Calgary data centre. The key to recover the Vault service is stored in a secure space in Microsoft Azure. 

Vault is considered a business mission critical platform service and has 24/7 support.

Vault or Kubernetes Secrets

Vault Secrets Management service is based on the HashiCorp Vault product. 

You also have the option to use Kubernetes Secrets backed by etcd, but we recommend that you only use Kubernetes Secrets to store information that isn’t sensitive.

Benefits

Take advantage of Vault features and functionality to efficiently store and manage secrets. 

Safely store secrets

You can store data including keys, configuration files and other pieces of sensitive information in Vault. As an added precaution, Vault automatically encrypts these secrets before putting them in storage. This means that even if someone gains access to the storage area, they won’t have access to your secrets.

Generate secrets dynamically

On some supported systems, Vault can generate secrets on-demand.

When an application needs to access a database, it’ll ask Vault for credentials. If the system is compatible with dynamic secrets, Vault will generate a key with the required permission on demand. After the secret is used, Vault will automatically revoke the key so it can’t be used again. 

Encrypt data

Vault can encrypt and decrypt data without storing it. This lets security teams define encryption parameters and lets developers store encrypted data, without them having to design their own encryption methods.

Automatically revoke secrets

Every secret stored in Vault has a lease associated with it. Vault will automatically revoke a secret when its lease expires, so it can no longer be accessed or used. You can customize the service to revoke individual secrets or groups of secrets, for example, all secrets read by a specific user. 

Who can use it

Any project provisioned in the Silver or Gold hosting tier is automatically provisioned with 2 Vault accounts: production and non-production.  

Account access

The technical leads associated with your project in the Platform Product Registry are the only people who have access to manage your secrets in Vault.

If a technical lead associated with your project changes, remove the old name from the registry and add the new lead’s name, if applicable. A technical lead will lose access to the project secrets in Vault as soon as their name is removed from the project record. A newly added technical lead will receive edit access to the project secrets in Vault as soon as their contact information is added to the project record in the registry.

When to use it

As soon as your project’s provisioned on the platform, anyone on your team can access the 2 Vault accounts that are automatically created for your project. Anyone on your team can access and view these accounts, but only project technical leads can create, change or delete application secrets. 

We recommend that you start storing your secrets in Vault as early in the application development lifecycle as possible. 

Where to get support

Rocket.Chat is the main communication channel for platform service support.

  • For best practices, configuration and troubleshooting questions, use the #devops-vault channel
  • For urgent support, contact us on the #devops-sos channel
  • For cluster-wide service notifications that may impact Vault availability, check the #devops-alerts channel

Vault Secrets Management is a business mission critical platform service with 24/7 support. If the tool is not functioning properly, you can report an incident. For additional assistance, you can visit the platform support page.

Technical documentation

Learn how to access your Vault account, how to store and revoke secrets and more.

Go to the technical documentation for Vault.

Availability

  • Uptime SLA: 99.9% uptime in 30 continuous days (allowing 44 minutes of downtime in past 30 days)
  • Response Time SLA: Responses within 2 seconds

Security reviews

Privacy Impact Assessment (PIA) and Security Threat Risk Assessment (STRA) have been completed for Vault. Send a request to PlatformServicesTeam@gov.bc.ca to access these assessments.