1. Docs
  2. Pulumi ESC
  3. Compare to...
  4. Pulumi ESC vs HashiCorp Vault

Pulumi ESC vs HashiCorp Vault

    Choosing the right secrets management tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with HashiCorp Vault, and how ESC and Vault can be used together.

    What is HashiCorp Vault?

    HashiCorp Vault is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies.

    Pulumi ESC vs. Vault: Similarities

    Like Vault, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Vault, secrets can be stored and accessed through a CLI, SDK, or editor interface. Granular access controls can be implemented across all secrets.

    Pulumi ESC vs. Vault: Key Differences

    There are a couple of fundamental differences between Vault and Pulumi ESC. First, ESC and Vault differ in that Vault is not open source, using the Business Source License model. In contrast, ESC is fully open source and Apache 2.0 licensed. Second, Vault only stores secrets, whereas ESC stores environments, secrets, and configurations. Third, ESC provides composability of collections of secrets and configuration. Environments can be composed together from multiple other environments, enabling easy inheritance of shared configuration.

    Pulumi ESC and Vault: Better Together

    While there are differences and similarities between Pulumi ESC and Vault, they can actually be used together for a more powerful experience to store and manage infrastructure and application secrets. ESC environments can reference secrets stored in Vault. Through ESC, secrets in Vault can be organized as collections of secrets that can be versioned, branched, and composed inside other collections. With ESC, non-secret configuration can be stored alongside secrets in Vault. ESC enhances Vault, and they work better together.

    Here is a summary of the key differences between Pulumi ESC and HashiCorp Vault:

    FeaturePulumi ESCVault
    Architecture
    OSS LicenseYes, Apache License 2.0No, Business Source License 1.1
    Hosting/managementFully-managed SaaS service provided by Pulumi CloudOffers hosted cloud service and self-hosting, which requires significant management overhead
    Key-value StoreYesYes
    Open EcosystemYes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc.No, can only store and manage secrets store in Vault
    Developer Experience
    Editing and AuthoringYes, supports both GUI and powerful Document Editor with autocomplete, docs hover, and error checkingLimited, has a JSON editor
    CLIYes, available as esc CLI or pulumi CLI. Supports injecting application secrets as environment variables and modifying secrets.Limited, has a CLI but lacks the capabilities of injecting secrets as environment variables. The CLI is for modifying secrets only.
    Client SDKsYesYes
    Declarative ProviderYes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code.No
    ComposabilityYes, simple set up of hierarchical environments that inherit values from imported environmentsNo, users have to create the structure themselves
    VersioningYes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbersLimited, secrets are individually versioned
    Values Can Be of Type Secret and PlaintextYesNo, values can only be secrets
    Ability to See Existing SecretsYesNo
    Secret ReferencingYes, environments can import secrets from another environment. Secrets updated from the referenced environment will automatically propagate to downstream environmentsNo
    Interpolate Values from Other ValuesYes, new dynamic values can be constructed through string interpolationNo
    Branching / Personal ConfigsYes, environments can be forked for testing without rewriting entire environments and overriding specific valuesNo
    Compare Secrets across EnvironmentNoNo
    In-built FunctionsYes, support for functions like toJSON, fromJSON, fromBase64, toString allows data manipulation for any scenarioNo
    Security and Compliance
    Audit LogsYesYes
    Encrypted Secrets StorageYes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest.Yes, Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
    Access ControlsYesYes
    Secure Dynamic Cloud Provider CredentialsYes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud.Limited, requires the usage of root account keys. Only available for AWS.
    OIDC ProviderYes, Pulumi Cloud can be used as an OIDC provider from the Pulumi SDK, CLI, UI, and pulumi-service provider.Limited, configuring Vault as an OIDC provider is only available from the CLI

    Get Started with Pulumi

    Use Pulumi ESC to easily centralize and manage environments, secrets, and configurations. Follow our Get Started guide for ESC to begin. If you want to use Vault or any other secrets manager with ESC, follow the below guides to import secrets from existing secrets managers into ESC environments.

    AWS
    Azure
    Google Cloud
    Vault
      PulumiUP 2024. Watch On Demand.