AWS Partner Network (APN) Blog

How an investment firm collaborated with HashiCorp and AWS to enhance their secrets management

Bridgewater Associates, based in Westport, CT, is a major investment management firm with more than $150 billion in assets that it manages for a global customer base of pension funds, endowments, foundations, central banks, and national governments. It is also an Amazon Web Services (AWS) customer that we’ve worked closely with over the past year and half, developing a partnership that helps Bridgewater leverage the tools—and benefits—of the AWS Cloud.

Last December, Bridgewater Systems Engineer Joel Thompson approached us with questions around the features and future roadmap of the GetCallerIdentity API call. He also mentioned work that he was doing with APN Technology Partner HashiCorp to solve the challenge of HashiCorp Vault authentication in scalable and serverless environments.

In their own words, here’s how Joel and HashiCorp Product Manager Andy Manoske describe what happened next.

Joel Thompson, Bridgewater Systems Engineer

Our business requires us to be highly focused on security. For that reason, we’ve been big fans of HashiCorp’s Vault since it was first released. However, we faced the challenge of how to securely authenticate to Vault from various AWS services, such as from Amazon Elastic Compute Cloud (Amazon EC2) instances in an autoscaling group, code running in AWS Lambda (Lambda), and other environments. We were not alone in this either. Many in the financial services industry have long been asking for a solution to this problem.

 

One of my coworkers proposed a solution that, to work properly, required AWS to add a new API method – the WhoAmI method that is a feature we requested from our AWS Enterprise Support team. Last year, AWS added what was needed — sts:GetCallerIdentity. So, collaborating with the Vault engineering team and consulting with AWS support, the AWS authentication backend in Vault was born, making it easier for AWS customers to secure their cloud-native applications.

Andy Manoske, HashiCorp Product Manager

HashiCorp has created six open-source projects to enable organizations to provision, secure, connect, and run any infrastructure for any application. This is particularly important for organizations that are migrating their workloads to cloud services such as AWS. HashiCorp Vault is one of those projects, providing a focus on securing any infrastructure for any application. Vault provides secrets management, encryption as a service, and a way to enforce privilege and access management.

Vault is an open-source project, with a growing community of contributors, users, and HashiCorp employees collaborating on the features that go into Vault. One example of this was a major enhancement in Vault 0.7.1 to the AWS-Amazon EC2 authentication backend. The enhancement now makes it easy for many different AWS resource types to securely authenticate with Vault.  Given the broadened scope of what this backend can now do it has been  renamed to the AWS authentication backend.  This backend solved a series of challenges we were seeing within the open-source community and our customer base around securely enabling access to secrets from an AWS-based infrastructure. AWS resources can then access and use the secrets managed by Vault. This includes resources such as Lambda functions, Amazon EC2 Container Services jobs, Amazon EC2 instances, or any other client with access to AWS Identity and Access Management credentials can use those credentials to securely authenticate to Vault to retrieve their secrets.

 

The AWS authentication backend is an enhancement that was contributed and collaborated on by Joel Thompson at Bridgewater. Through Bridgewater’s use of Vault, Joel recognized a more specific enhancement to the authentication backend and then worked with the HashiCorp Vault engineers to make it a reality.

 

Through this engagement, which included assistance from AWS Enterprise Support to help them plan and build the solution using best practices and guidance from the AWS Identity service team, Bridgewater and HashiCorp were able to quickly and confidently collaborate on an important Vault feature.

To learn more about the collaboration, read Joel’s post on the HashiCorp blog. And go here to learn more about how AWS Enterprise Support can help your organization.