[0xCMP]

It'd be cheaper than running Vault with a backing Consul cluster which also provides rotation and other features.

There is a point where Vault is more cost effective, but I believe it'd require a ton of requests and secrets to justify min 6 machines of at least t2.micro that also need to managed and secured.

[013a]

Depends on how many secrets you're storing.

You can also back Vault with something other than Consul. You can back it with DynamoDB, which would be much cheaper than managing your own Consul cluster. You can even back it with S3, which would be dirt cheap (cost of the vault instance + a few cents for storage).

[0xCMP]

I wasn't aware you could use Dynamo or S3, that's pretty interesting

[eropple]

It's definitely not cheaper than KMS and DynamoDB via Credstash, though.

[orthecreedence]

What if you're already running a nomad/consul cluster? Is vault a particularly hard thing to implement/scale at that point?

[0xCMP]

Yea it that case then it's not that hard or extra cost. But I imagine most people aren't already running Nomad or Consul and can benefit from this. Lambdas, Wordpress, etc. can now get rotating secrets which is pretty nice possibility now with a lot less operational overhead.

[p0rkbelly]

...and that's without a FIPS 140-2 Level 3 backend for a HSM as well, right? (Secrets Manger has that I assume).

With Vault 1) you have to get Hashi Enterprise 2) Pay for a very pricey HSM.

[0xCMP]

No, I believe they just use KMS or GCM either which is backed by an HSM and it's recommended in their documentation.