Recommended end-user access patterns

I have just started experimenting with Vault and am currently using HCP as it seemed the easiest way to get started. While it’s just been me I’ve been using the public endpoint but that is something we want to disable and I haven’t found a whole lot about how one might go about securely exposing this to my developers. I could use a VPN but I’ve been trying to move away from the need for one. Boundary looked like it might be a solution here but I don’t see a good way to actually do this. Ultimately I have multiple teams across multiple orgs each spanning multiple AWS Accounts and Vault + Boundary seems like it could provide a lot of benefits to our use case, just having trouble wrapping my head around it all. Am I thinking about this completely wrong?

You can always have “more” security, but the question really is what are you trying to protect against?

It’s already HTTPS/SSL so the tunnel is encrypted. As long as the developers don’t skip SSL verification or use a low level TLS there shouldn’t be an issue with leakage on a normal basis.

Currently I don’t intend to waste any time on it as there is plenty of other things for me to do so the public endpoint will remain for the time being. I guess I’m just trying to gauge how others are approaching this, does everyone just ignore the recommendations everywhere about running a public endpoint in production?

That’s one of the trade-offs for using any cloud SaaS.

Not one to just accept that, I think I have a decent solution in mind, each cluster will have access, looks like I can provide cluster access via Boundary and proxy to Vault through a cluster given that devs should already be connected to one. Just kinda surprised there’s not more info on this topic

We are ramping up your HCP Vault setup into a production (will be out in months). No public endpoints will be available.

For users, we have two approaches at the moment: as we use AWS and AWS SSO, it’s actually quite convenient to rollout the AWS Client VPN to our devs - when direct HCP Vault access is needed (and the AWS VPC has been just peered to HCP HVN). We’re also planning to offer a second solution - a very much simplified UI as part of a developer portal where devs could manage their secrets directly without thinking of accessing HCP Vault using the VPN (as, the thing is, Vault’s UI is not the most comfortable UI for devs - let’s face it).

We haven’t looked into Boundary yet - but - as it’s something that Hashicorp is not yet offering as service in HCP (not enough maturity yet?) - we’re not that interested. Boundary will be a product we’ll be looking for at some point - we especially like the interplay between Boundary and Vault.

By the way - I recommend to watch this one: Vision for HCP Vault Roadmap Session - YouTube - they mention e.g. multiple times that they are working on having support for AWS PrivateLink for accessing HCP Vault from AWS environments (no need to peer / Transit GW) or so. This would be excellent for any AWS customer. Superconvenient.