We have started using the newly added vault module/runner/util/state
https://github.com/saltstack/salt/pull/39212
Vault itself is a bit of a framework more than a complete solution. If you take the problem of keeping username/passwords out of config or script files in git, vault can replace that with an https get to the vault server. You then have a vault token which has a policy which allows it to lookup the secret, and you place that call in your script or config file. This is better than keeping your password secret and all versions in git, but it still allows anyone with the token to perform the vault lookup themselves, so it isn't great.
The referenced salt modules use vault, but tie it in very nicely with salt.
The communication begins with the salt-minion which uses a vault.read_secret module to ask the salt-master for a vault token (over the encrypted salt bus). The salt-master then uses information about the salt-minion to ask the vault server for a one time token and in that process attempts to apply policies to that token based on the information about the minion. The vault server then replies with the one use token to the salt-master, and the salt-master sends it on to the minion. The salt-minion then performs a normal vault https lookup for the password, using it's new token and vault replies with a response.
This allows for vault use where secrets can be delegated to minions based on grain or pillar info. This allows for secrets access use cases such as:
- All mysql servers in web app tier in production
- Single Jenkins Master
- All salt-minions
By using salt as an interface on top of vault, it allows you to leverage salt's knowledge of the environment to more or less replace vault token handling.
We are now using vault as the source of truth for our passwords, and use this system to seed Jenkins credentials.
Additionally, since you can both read and write vault secrets, this allows for other use cases such as using a bastion host to write a let's encrypt ssl cert key to vault, then allowing the web host to read it. Thus creating an encrypted file transfer which only allows the necessary minions to view contents.
This is a much more robust solution over the current vault pillar which simply makes vault secrets available to all salt minions. If you have any interest in using vault, I would recommend looking at the newer modules.