The web-ui and Google Cloud IAM secrets engine plugin are awesome new features. I've been playing and setting up Vault today on GCP and overall really happy.
Also, I believe using Google Storage as a backed now works with clusters meaning Consul is now not required for clustering.
A simple thing that's been missing for a long time now is a way to patch existing secrets in the KV store. Since the secret itself is composed of keys and values it quickly becomes cumbersome to just update one of those. I guess now that versioning is enabled it will be easier to build a tool on top.
$ vault kv put secret/my-secret my-value=itsasecret
$ vault kv patch secret/my-secret new-value=othersecret
^--- this doesn't exist
$ vault kv get secret/my-secret
====== Data ======
Key Value
--- -----
my-value itsasecret
new-value othersecret
Vault secrets versioning, Enterprise UI open sourced, root DB creds rotation, Azure Auth method and GCP secrets engine and GCP cloud spanner as a storage backend, really great release!
For your average user I think this is confusing and not good UX.
Since a lot of people using this tool will be developers with MacBooks and not hardcore *nix users, it’s probably a good choice to ignore that convention.
> For your average user I think this is confusing and not good UX.
I disagree, as the average vault user is likely someone familiar with Unix (though there is a Windows binary). Here is an example that I just ran on my machine.. very silent.
Confirming success is only necessary when users do not trust the program (due to bugs, confusing UI/API, etc.). They will seek reassurance that their actions are successful. However, if users trust the program then no confirmation is needed.
We should be creating stable and predictable programs so that we can maintain users' trust. Otherwise we have to introduce hand-holding which degrades everyone's experience through extra cognitive overhead and user interaction.
A while back I was using Vault, and the standard logging didn't give me enough to setup any sort of useful detection & alerting capabilities. I tried to increase verbosity in Vault's logging, as the CLI would accept integer parameters, and the documentation made it seem this was possible.
However, the source code was hardcoded to only one logging level (they didn't actually have multiple logging levels). The homepage marketing-speak was disingenuous on this front. Coupled with other poor architecture choices (wasn't actually HA, forced you to use other Hashicorp products, etc), I lost interest in the product.
Seemed they were mostly focused on unique features than standard enterprise requirements. Have things improved?
11 comments
[ 3.3 ms ] story [ 13.3 ms ] threadAlso, I believe using Google Storage as a backed now works with clusters meaning Consul is now not required for clustering.
That is:
should instead be: Also, the screenshots on the Vault OSS UI Introduction page [0] are completely unintelligible.[0]: https://www.hashicorp.com/resources/vault-oss-ui-introductio...
Since a lot of people using this tool will be developers with MacBooks and not hardcore *nix users, it’s probably a good choice to ignore that convention.
I disagree, as the average vault user is likely someone familiar with Unix (though there is a Windows binary). Here is an example that I just ran on my machine.. very silent.
I picked this up at http://www.rsync.net/resources/howto/remote_commands.html for running commands over ssh and not seeing the console output.
We should be creating stable and predictable programs so that we can maintain users' trust. Otherwise we have to introduce hand-holding which degrades everyone's experience through extra cognitive overhead and user interaction.
cron adopts this philosophy in that you get an email if there is any output at all.
There is a tool called chronic which you can use as a wrapper which captures stdout and only ouput if the return code is an error:
However, the source code was hardcoded to only one logging level (they didn't actually have multiple logging levels). The homepage marketing-speak was disingenuous on this front. Coupled with other poor architecture choices (wasn't actually HA, forced you to use other Hashicorp products, etc), I lost interest in the product.
Seemed they were mostly focused on unique features than standard enterprise requirements. Have things improved?