This document outlines our experience implementing HashiCorp Vault as a secrets management solution for the TANF Data Portal (TDP) application and explains why we ultimately cannot use it in the Cloud.gov environment. It also explores potential alternatives and future directions for secrets management in our application.
Our team successfully implemented a working local Vault solution with the following components:
- Vault Server: Running as a Docker container in development environments
- Vault Agent: Responsible for fetching secrets and providing them to the application
- Database Integration: Dynamic credential generation for PostgreSQL
- KV Store: Static secrets management for application configuration
The local implementation provided several benefits:
- Secret Rotation: Automatic rotation of database credentials
- Access Control: Fine-grained access control for different services
- Audit Trail: Comprehensive logging of secret access
- Encryption: Secure encryption of secrets at rest
Our implementation followed HashiCorp's best practices and provided a robust secrets management solution for local development.
After thorough investigation, we determined that Vault cannot be effectively used within the Cloud.gov environment due to fundamental architectural constraints:
-
Service Binding Requirement: In Cloud.gov, services must be bound to applications for the app to have network policies that allow communication with the service.
-
Credential Binding: This binding mechanism means credentials are bound to app instances and not just to Vault, which contradicts security best practices for secrets management.
-
Isolation Challenges: The Cloud.gov architecture doesn't allow for a centralized secrets management service that can be accessed by multiple applications without exposing credentials through environment variables.
-
Custom Service Broker Limitations: While Cloud.gov allows custom service brokers, implementing one for Vault would still face the same fundamental network policy constraints.
The architectural constraints create several security concerns:
- Credentials would be exposed in environment variables, negating many of Vault's security benefits
- Dynamic secret rotation would be difficult to implement properly
- Audit trails would be incomplete as they wouldn't capture the full lifecycle of secrets
As of August 2025, Cloud.gov does not offer a dedicated secrets management service. According to our research and discussions with Cloud.gov representatives:
- There are no immediate plans to introduce a native secrets management service
- The Cloud.gov team recommends using their existing credential management through service bindings
- For sensitive information that needs additional protection, they recommend using encrypted environment variables with keys managed outside the platform
Based on our findings, we recommend the following approach for secrets management in the TANF Data Portal:
-
Use Cloud.gov Service Bindings: Continue using Cloud.gov's native service binding mechanism for database credentials and other service connections
-
Environment Variables with Encryption: For application-specific secrets, use environment variables with appropriate encryption where needed
-
CI/CD Integration: Manage sensitive values through secure CI/CD pipelines with restricted access
-
Monitor Developments: Keep track of Cloud.gov roadmap for potential future secrets management offerings
While HashiCorp Vault provided an excellent secrets management solution for our local development environment, the architectural constraints of Cloud.gov prevent us from using it in production. We will adapt our approach to work within these constraints while maintaining the highest possible security standards for our application.