A Vault/OpenBao instance is used by GatePlane, as it provides the following boilerplate functionalities:
Authorization
Vault/OpenBao ensures us that the users that can access GatePlane functionalities have the right to access them. This effectively means that GatePlane does not need to take into account the “who can do what” problem, as it is taken care of by Vault/OpenBao Policies. Configuring authorization in the well-documented and community-approved language that HCL is (it is used in Terraform/OpenTofu, as well as Vault/OpenBao), enables GatePlane to not implement the overhead that authorization is, and focus on the security features instead, while also not forcing engineers to learn new ways for doing the same old things.
Identity Management & Authentication
Using the GatePlane functionalities has to be authenticated, as the identity information is needed in order to tie Access Requests, Approvals and Claims with specific users for auditing. Vault/OpenBao ensures that all requests to GatePlane functionalities come from Vault/OpenBao Entities, having a Vault/OpenBao token attached, packing all needed information on “who did what”.
Integrations
The extensibility of Vault/OpenBao through plugins has created official and community integrations of countless software and platforms. From AWS access and Okta authentication, to Artifactory. This allows GatePlane to focus on its security features, knowing that everything else will work smoothly and will be maintained by the most relevant people.
Auditing
Vault/OpenBao already has a logging format well understood by most SIEMs (e.g: Elastic), and places where Vault/OpenBao is already present also have a delivery system in place. GatePlane piggy-backs that to effectively allow for zero SIEM configuration on log delivery and parsing. Custom queries can be made to observe GatePlane specific activities.
In a few words
-
Who can (and who cannot) request, claim and approve access using GatePlane is configured separately in a standard and efficient way defined by Vault/OpenBao.
-
GatePlane knows who is doing what by using Vault/OpenBao to integrate with your current directory (e.g: LDAP, Active Directory) or Identity Management (e.g: Okta/Auth0, Google Workplace, AWS IAM).
-
GatePlane can control access wherever Vault/OpenBao can provide access to (e.g: AWS, GCP, Azure, Kubernetes, SSH, etc).
-
A second after deploying GatePlane, you can start querying its logs as well as creating SIEM rules on scenarios, using whatever already aggregates Vault/OpenBao logs.