Pulumi ESC vs HashiCorp Vault
Choosing the right secrets management tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with HashiCorp Vault, and how ESC and Vault can be used together.
What is HashiCorp Vault?
HashiCorp Vault is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies.
Pulumi ESC vs. Vault: Similarities
Like Vault, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Vault, secrets can be stored and accessed through a CLI, SDK, or editor interface. Granular access controls can be implemented across all secrets.
Pulumi ESC vs. Vault: Key Differences
There are a couple of fundamental differences between Vault and Pulumi ESC. First, ESC and Vault differ in that Vault is not open source, using the Business Source License model. In contrast, ESC is fully open source and Apache 2.0 licensed. Second, Vault only stores secrets, whereas ESC stores environments, secrets, and configurations. Third, ESC provides composability of collections of secrets and configuration. Environments can be composed together from multiple other environments, enabling easy inheritance of shared configuration.
Pulumi ESC and Vault: Better Together
While there are differences and similarities between Pulumi ESC and Vault, they can actually be used together for a more powerful experience to store and manage infrastructure and application secrets. ESC environments can reference secrets stored in Vault. Through ESC, secrets in Vault can be organized as collections of secrets that can be versioned, branched, and composed inside other collections. With ESC, non-secret configuration can be stored alongside secrets in Vault. ESC enhances Vault, and they work better together.
Here is a summary of the key differences between Pulumi ESC and HashiCorp Vault:
Feature | Pulumi ESC | Vault |
---|---|---|
Architecture | ||
OSS License | Yes, Apache License 2.0 | No, Business Source License 1.1 |
Hosting/management | Fully-managed SaaS service provided by Pulumi Cloud | Offers hosted cloud service and self-hosting, which requires significant management overhead |
Key-value Store | Yes | Yes |
Open Ecosystem | Yes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc. | No, can only store and manage secrets store in Vault |
Developer Experience | ||
Editing and Authoring | Yes, supports both GUI and powerful Document Editor with autocomplete, docs hover, and error checking | Limited, has a JSON editor |
CLI | Yes, available as esc CLI or pulumi CLI. Supports injecting application secrets as environment variables and modifying secrets. | Limited, has a CLI but lacks the capabilities of injecting secrets as environment variables. The CLI is for modifying secrets only. |
Client SDKs | Yes | Yes |
Declarative Provider | Yes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code. | No |
Composability | Yes, simple set up of hierarchical environments that inherit values from imported environments | No, users have to create the structure themselves |
Versioning | Yes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbers | Limited, secrets are individually versioned |
Values Can Be of Type Secret and Plaintext | Yes | No, values can only be secrets |
Ability to See Existing Secrets | Yes | No |
Secret Referencing | Yes, environments can import secrets from another environment. Secrets updated from the referenced environment will automatically propagate to downstream environments | No |
Interpolate Values from Other Values | Yes, new dynamic values can be constructed through string interpolation | No |
Branching / Personal Configs | Yes, environments can be forked for testing without rewriting entire environments and overriding specific values | No |
Compare Secrets across Environment | No | No |
In-built Functions | Yes, support for functions like toJSON, fromJSON, fromBase64, toString allows data manipulation for any scenario | No |
Security and Compliance | ||
Audit Logs | Yes | Yes |
Encrypted Secrets Storage | Yes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest. | Yes, Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces. |
Access Controls | Yes | Yes |
Secure Dynamic Cloud Provider Credentials | Yes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud. | Limited, requires the usage of root account keys. Only available for AWS. |
OIDC Provider | Yes, Pulumi Cloud can be used as an OIDC provider from the Pulumi SDK, CLI, UI, and pulumi-service provider. | Limited, configuring Vault as an OIDC provider is only available from the CLI |
Get Started with Pulumi
Use Pulumi ESC to easily centralize and manage environments, secrets, and configurations. Follow our Get Started guide for ESC to begin. If you want to use Vault or any other secrets manager with ESC, follow the below guides to import secrets from existing secrets managers into ESC environments.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.