HashiCorp Vault – công cụ quản lý bí mật chủ chốt cho DevSecOps. Lưu trữ, mã hoá, tạo bí mật động, kiểm soát truy cập theo vai trò, quay vòng tự động và ghi log audit. Tích hợp dễ dàng vào CI/CD và các nền tảng cloud. Phiên bản Community mở nguồn, Enterprise có tính năng nâng cao. #HashiCorp #Vault #DevSecOps #Security #SecretsManagement #DevOps #Cloud #OpenSource #CôngNghệ #BảoMật
https://dev.to/haresh_511/hashicorp-vault-a-core-security-tool-in-devsecops-133m
Terraformで作業がちょっと楽になる小技(compact / for_each / ignore_changes)
https://qiita.com/y-otake/items/1a8f2dfa94317edc2b4d?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
#qiita #IaC #Terraform #Hashicorp #Infrastructure_as_code #GoogleCloud
Really annoyed that with #Hashicorp/ #IBM's rogue licensing change, it has killed all interest I had in exploring #Nomad as an alternative to #Kubernetes. It had so much promise. Also, #Consul.
Our company is setting up a #HashiCorp #Vault cluster in #Azure. It's currently set up to use #KeyVault auto-unseal.
Our SOP for restoring the cluster in case of data corruption or failure is to shut down Vault and delete the data on all the instances, reinitialize on one instance, download a snapshot from Azure Storage to that instance, restore that snapshot with quorum forcing, and bring the other instances back online.
#SRE #DevOps #DevSecOps (1/3)
#KubeCon isn't the only conference going on this week -- there's also the Technology Business Management (TBM) Council conference (#TBMC25) in Miami, where Apptio, is publicizing its latest collaboration with #HashiCorp, #Cloudability Governance.
This tool, also demonstrated during #HashiConf, injects #FinOps tagging and policy guardrails using #Terraform run tasks, and feeds #IaC data back into the Cloudability UI for monitoring. And there's more to come with Project infragraph. https://www.techtarget.com/searchitoperations/news/366634306/IBM-Apptio-deepens-FinOps-ties-with-HashiCorp-Terraform
Immerhin, was Preise angeht passt #hashicorp ja prima zu IBM. Wie schaut es mit dem Support aus? Ist der von IBM auch vollkommen nutzlos (d.h. Microsoft approved)?
Die Release Quality der letzten Hashicorp Vault Releases lässt darauf schließen das jetzt Anwälte und Vertriebler das Testing der Software machen.
Beispiel: https://github.com/hashicorp/vault/issues/31606
Seit 2 Wochen im neuen Release leere KV Stores im Dashboard, Daten sind aber noch da (z.b. per API).
[Перевод] Terraform Actions: Глубокое погружение
Terraform Actions — это новая концепция, представленная в Terraform 1.14, которая позволяет выполнять операции вне стандартного рабочего процесса CRUD (Create-Read-Update-Delete). Это расширяет возможности Terraform, позволяя взаимодействовать с ресурсами способами, для которых раньше требовались другие инструменты, например Ansible.
https://habr.com/ru/articles/956966/
#terraform #terraform_actions #iac #infrastructure_as_code #aws #devops #hashicorp
#IBM and #HashiCorp's #AI roadmap includes Project Infragraph, which will link together infrastructure automation data for #AIagents. Details on that and more hints about AI strategy from #HashiConf: https://www.techtarget.com/searchitoperations/news/366632006/IBM-HashiCorp-AI-roadmap-takes-shape-at-HashiConf
#HashiCorp #Terraform actions will expand the #infrastructureascode tool's purview into new areas of automation, and deepen integration with #eventdriven #Ansible. #HashiConf https://www.techtarget.com/searchitoperations/news/366632000/HashiCorp-Terraform-actions-adds-Day-2-ops-Ansible-ties
Spoke to soon. Making the agent-string change allowed the local running of Sphinx to work, but the run executed from #GitHub failed. Going to guess that #Hashicorp has blacklisted GitHub IPs.
We've supported .env integration for managing secrets, but it has several issues:
Apps are disconnected from their secrets - applications lack a clear contract about which secrets they need
Parsing .env is unclear - comments, multiline values, and special characters all have ambiguous behavior across different parsers
Password manager integration is difficult - requiring manual copy-paste or template workarounds
Vendor lock-in - applications use custom parsing logic, making it hard to switch providers
No encryption - .env files are stored as plain text, vulnerable to accidental commits or unauthorized access
solutions like dotenvx to encrypt .env files or sops for general secret encryption, these bring new challenges:
Single key management - requires distributing and managing a master key
Trust requirements - everyone with the key can decrypt all secrets
Rotation complexity - departing team members require key rotation and re-encrypting all secrets
Larger teams often adopt solutions like #OpenBao (the open source fork of #HashiCorp Vault), requiring significant infrastructure and operational overhead. Smaller teams face a gap between simple .env files and complex enterprise solution
What if instead of choosing one tool, we declared secrets uniformly and let each environment use its best provider?
#devenv
https://devenv.sh/blog/2025/07/21/announcing-secretspec-declarative-secrets-management/
Migrate your Terraform configurations from the AzAPI provider to the AzureRM provider ➡️ https://mattias.engineer/blog/2025/migrate-azapi-to-azurerm/
Wiele podatności w HashiCorp Vault
HashiCorp Vault to popularne, otwartoźródłowe narzędzie do zarządzania poufnymi danymi, takimi jak klucze API, certyfikaty, hasła czy tokeny. Z racji przechowywanych danych, Vault jest cennym celem dla włamywaczy – uzyskanie dostępu do Vault pozwala na dostęp do wszystkich usług, do których sekrety są w nim przechowywane. TLDR: Badacze z firmy Cyata...
There’s a series of vulnerabilities, including CRITICAL and HIGH, published for #HashiCorp #Vault
#Vault: Cracking the Vault: how we found zero-day vulnerabilities (including #RCE) in authentication, identity, and authorization in #HashiCorp Vault.
Some existed for nearly a decade!
Great research by @teamcyata
👇
https://cyata.ai/blog/cracking-the-vault-how-we-found-zero-day-flaws-in-authentication-identity-and-authorization-in-hashicorp-vault/
A nice series of inspiring logic #bugs! I somewhat pioneered timing leaks and it doesn’t surprise me at all that they are still around and kicking by the way ⏱️
Cracking the Vault: how we found zero-day flaws in authentication, identity, and authorization in #HashiCorp Vault
"Cracking the Vault: how we found zero-day flaws in authentication, identity, and authorization in HashiCorp Vault"
🌘 研究人員揭露熱門企業憑證庫中的遠端程式碼執行攻擊鏈
➤ 潛藏的危機:開源憑證庫淪為攻擊者的跳板
✤ https://www.csoonline.com/article/4035274/researchers-uncover-rce-attack-chains-in-popular-enterprise-credential-vaults.html
Cyata 的研究人員在廣受企業採用的開源憑證管理系統 HashiCorp Vault 和 CyberArk Conjur 中發現了 14 項邏輯漏洞。這些漏洞允許攻擊者繞過身份驗證、存取敏感資訊、冒充身份,甚至能執行任意程式碼,對企業的關鍵基礎設施構成嚴重威脅。研究人員的發現已向廠商負責任地揭露並獲得修補。
+ 這篇報導實在太重要了!我們企業也使用這些工具,必須趕緊檢查更新。
+ 看到這些進階的攻擊手法,真是令人擔憂,信任模型如果崩潰,後果不堪設想。
#資安 #漏洞 #憑證管理 #HashiCorp Vault #CyberArk Conjur #遠端程式碼執行 (RCE)
🌘 破解保險庫:如何在 HashiCorp Vault 的認證、身分和授權中發現零日漏洞
➤ 揭示信任基石的脆弱性:從使用者認證到核心邏輯的深度剖析
✤ https://cyata.ai/blog/cracking-the-vault-how-we-found-zero-day-flaws-in-authentication-identity-and-authorization-in-hashicorp-vault/
Cyata 的研究團隊深入挖掘了廣泛使用的 HashiCorp Vault,發現了九個零日漏洞,這些漏洞繞過了鎖定機制、規避了策略檢查,甚至允許遠端程式碼執行(RCE),潛在導致系統完全被接管。這些漏洞並非源於記憶體損壞,而是核心認證、身分和策略強制執行層面的細微邏輯缺陷,部分已潛藏近十年。研究團隊透過嚴謹的手動程式碼審查和類比攻擊者的思維,識別了這些影響 Vault 開源和企業版本的關鍵弱點。
+ 這真是令人警惕的消息!Vault 作為信任模型的核心,竟然存在如此長期的潛在風險,幸好 Cyata
#網路安全 #漏洞研究 #HashiCorp Vault #零日漏洞
@rustconf Hey I know the guy in the photo with the New Relic "Carpe Datum" shirt and HashiCorp backpack!
