Hey There!
Wanted to ask about Vault Replication vs Vault Agents.
Instead of setting up multiple Vault clusters with replication between each one:
There is also the Vault Agent:
which appears to be akin to a Vault proxy, if you will, where applications can authenticate against and get secrets via, however, doesn’t store all the secrets itself.
I understand the benefits of using replication to backup, redundancy, load distribution and locality purposes. However:
1 - Would not the Vault Agent provide this as well to an extent? For example, containerize the Vault Agent, deploy it to a public cloud service, yet have it connect to an on-prem Vault Cluster that is replicated between multiple on-prem DC’s?
2 - Reduced attack vector. Instead of having Vault cluster copies and consequently copy of all the secrets between clouds for example, like AWS, GCP or Azure, on-prem or what not, access to Vault could be restricted from the agents to Vault.
3 - Less secret passing over the wire. Vault Clusters when synchronized together, would have to synchronize all secrets between them. Which, inevitably, means passing secrets over the wire. Thinking Vault Agents would reduce this?
4 - Reduce the replication Caveats in general, preventing unnecessary maintenance.
5 - Reduced risk from a cloud compromise. If a site with agents is compromised, but the area only has Vault Agents, which don’t themselves keep secrets, I’d imagine that would be alot more secure then having a replicated Vault in the same space instead.
Cheers,