Open iniinikoski opened 1 week ago
alexhung
commented
1 week ago @iniinikoski JFrog is already a technology partner with HashiCorp (https://www.hashicorp.com/partners/tech/jfrog#vault).
If I read your message correctly, I think it is the HCP Vault Dedicated support that you wish to see?
Whilst we haven't tested the Artifactory Secrets plugin with HCP Vault Dedicated, there's nothing (as far as I know) inherently different for the plugin to work in HCP.
iniinikoski
commented
1 week ago @iniinikoski JFrog is already a technology partner with HashiCorp (https://www.hashicorp.com/partners/tech/jfrog#vault).
If I read your message correctly, I think it is the HCP Vault Dedicated support that you wish to see?
Yes, exactly.
Whilst we haven't tested the Artifactory Secrets plugin with HCP Vault Dedicated, there's nothing (as far as I know) inherently different for the plugin to work in HCP.
I think Hashicorp has some hard requirements on plugins on HCP (looking at the Venafi as an example) which needs to be fulfilled before it can be supported in Vault Dedicated. This is my understanding. It would be great if you could reach out to them on this (as I'm only a customer here for both products :) ).
Currently the plugin can only be used with the Vault open-source version, though there are more and more customers who are using managed services from Hashicorp (e.g. HCP Vault). Hence, Hashicorp has created the Vault integration program (https://developer.hashicorp.com/vault/docs/partnerships) to improve the secrets engine support through the (slowly) growing partner network. They are also ramping up the new product "Vault Secrets" (https://developer.hashicorp.com/hcp/tutorials/get-started-hcp-vault-secrets/hcp-vault-secrets-introduction) where they plan to bring more and more different secret types / engines as a ready-made/built-in support. A good example is MongoDB Inc. with their MongoDB Atlas Secrets Engine which is fully supported in all Vault installations.
It would be great if JFrog could partner (even more?) with Hashicorp on this, as the spread of Artifactory tokens is an issue for every company using Artifactory. Artifactory has been enhanced with a better token support lately, but would be great that developers would not need to interface with Artifactory at all in order to get access to it (as, they get access to everywhere else also through Vault. The situation has of course improved lately a lot by introducing the OIDC possibilities between e.g. Artifactory and GitHub, thus mostly removing the requirement for static tokens. But the issue does still persists for e.g. user access or any machine access outside of e.g. GitHub.
Unfortunately, there's no alternative to this. We know that ephemeral / dynamic secrets is the key to success and we'd need to make this easy for everyone without compromising security.
JFrog Artifactory already integrates with Hashicorp Vault (though, not HCP Vault I believe atm), so, JFrog has partnered with Hashicorp on some levels already. I hope this partnership could be taken to next level where everyone benefits.