Objective
Add HashiCorp Vault as an alternative secret provider for AWS/GCP/on-prem deployments, behind the same ISecretProvider abstraction established by the Azure Key Vault integration.
Depends On
- The v4.0 Azure Key Vault issue (AKV integration establishes the abstraction layer)
Requirements
These requirements directly address the issues identified in the Copilot code review of PR #406:
| PR #406 Finding |
Required Fix |
| TLS disabled |
HA Raft cluster with TLS enabled |
| Broad shared Vault policy |
Per-service Vault policies with least-privilege scoping |
| Local file path for SA tokens |
Kubernetes auth with proper ServiceAccount token retrieval |
| Public LoadBalancer |
ClusterIP default — no public exposure |
| Root token logged to stdout |
Root token never logged — sealed after init |
| Secrets wiped on transient failure |
VaultConfigurationProvider preserves existing secrets on transient Vault unavailability |
Additional Requirements
secretProvider parameter in Bicep templates: azurekeyvault | hashicorpvault | none- Feature parity with AKV integration for secret read/write/rotate operations
- Documentation for multi-cloud deployment scenarios
Reference
Objective
Add HashiCorp Vault as an alternative secret provider for AWS/GCP/on-prem deployments, behind the same
ISecretProviderabstraction established by the Azure Key Vault integration.Depends On
Requirements
These requirements directly address the issues identified in the Copilot code review of PR #406:
VaultConfigurationProviderpreserves existing secrets on transient Vault unavailabilityAdditional Requirements
secretProviderparameter in Bicep templates:azurekeyvault|hashicorpvault|noneReference
copilot/migrate-secrets-to-key-vault) — reuse scaffolding patterns (Helm charts, namespace layout,ISecretProviderwiring)