Idea of Hashicorp Vault backend

[beejei]

Feature description

A clear and concise description of what the feature should be.

Hi Infisical team,

I'm seriously rechecking the credential management process in our company, and I'm again deeply depressed as there is no easy-to-use solution.
In the market, there are lots of places to store the credentials, but from the guideline, no one wants to store them in the code repository.
I agree with the general concept, but honestly, there is actually no good alternative way accepting all the use cases.

For the user experience, https://doppler.com or https://dotenv.org might be the best solution for developers.
But WHO WANTS TO STORE THEIR CREDENTIALS OUTSIDE OF the COMPANY?

I think this really makes a big difference in your product. Because Infisical allows self-hosting method.
But on the other hand, while your team is focusing on the integration side, users are concerned about how to ensure the data handling in Infisical follows the best practice.
Please refer to: https://www.reddit.com/r/selfhosted/comments/10r8as3/comment/j6uuofd/?utm_source=reddit&utm_medium=web2x&context=3

Therefore my idea is, why not provide an option to have Hashicorp Vault as a backend?

Why would it be useful?

Why would this feature be useful for Infisical users?

Because Hashicorp Vault is well-known backend with best practices but has poor UI, Docs, and integrations compared to its backend.
I think this will make a really good pivoting point. Because a lot of companies already using Hashicorp Vault for their business, but with poorly made in-house scripting.

Additional context

Add any other context about the problem here.

I've searched for 6 hours to search for a better way. And arrived here with the discussion:
https://www.reddit.com/r/devops/comments/tzufc9/how_do_you_share_and_sync_env_files_for_your_team/

It would be really great if you consider this idea seriously.
Then I could push our company to use Infisical with our Hashicorp Vault corporate instance.

Thanks for reading.

Best regards,
beejei

[beejei]

I found another good thread of yours: https://www.reddit.com/r/programming/comments/10hzh2i/guys_its_happending_my_recent_open_source_project/

If I'm not wrong, you're aiming for the same point as me.
But for easier adoption by the existing consumer of Hashicorp Vault, I think you could find any valid point of my idea.

[dangtony98]

Hi @beejei!

Thanks for this idea. I've actually been thinking about this exact use-case this past 2-3 weeks now — My thought was to have Infisical be a secrets orchestration layer that can connect to any storage backend like Vault, AWS/GCP/Azure SM, databases, and even S3 or a private repo; in this model, we would still provide MongoDB as the default storage option as it is currently.

The reason is multi-fold:

• As you mentioned, organizations may be more comfortable using existing secure storage solutions such as Vault on the backend; this would off-load more security work on our end, so we can focus more on delivering the dynamic integrations and interface at the top level that users love.
• Some large organizations use multiple secret managers; in these cases, they could adopt Infisical to connect to these secret manager sources and have global observability from the top level.

The orchestration layer would come with all the built integrations (and more), adding rotation, dynamism, and syncing functionality to the underlying chosen KV store and with of course the beautiful interface we already support out of the box. It'd be amazing to jam on this idea further with you (I've just started a convo about it in our Slack comunity); do feel free to join here!

[beejei]

I'm super happy to get your response so soon.
It's my first time looking around the current version of Infisical.
I'd be happy to look around and join the discussion.

Thanks!