HCP Vault Secrets design strategy

Secrets can be logically organized across Projects and Applications wthin the HashiCorp Cloud Platform (HCP) resource hierachy. With HCP's Identity and Access Management (IAM) model, granular role and resource based access controls can be applied, allowing delegation of managing and accessing secrets to only the necessary users and clients enabling least privelge access control.

Below is an example structure of how secrets can be organized within the HCP resource hierachy.

Example scenario

Your organization has a centralized platform team and several engineering teams who all have various applications, systems, and workflows where secrets are used. The goal is to organize and establish appropriate access control model for your teams and applications which can scale as you grow or onboard more teams.

Below is an example structure of how to organize secrets within HCP Vault Secrets.

Projects and applications

An HCP organization can have one or more HCP projects to segment HCP resource access within an organization, such as by team or business unit. Projects can contain one or more applications where secrets are managed. Access controls can be applied at the organization, project, and application level.

HCP Organization 
 └── Project A
   ├── Application A-1
   ├── Application A-2
   ├── Applicaton  A-3
 └── Project B
   ├── Application B-1-NonProd
   ├── Application B-1-Prod
   ├── Application B-2
   ├── Application B-3
 └── Project C
   ├── Application C-1
   ├── Application C-2
   ├── Application C-3

Summary

Proper organization of your HCP Vault Secrets projects and applications provides flexibility to manage granular access control over which clients (users or applications) have access to certain applications and secrets. Refer to the establish secure access control tutorial to learn more.