Want to secure workload access to LLMs like ChatGPT? Join Our Webinar | 1 pm. PT on June 18

Case Study

Large Retailer Secures HashiCorp Vault Access

A Fortune 250 retailer secures access to HashiCorp Vault as the first phase of its enterprise-wide workload IAM deployment.

Complex multi-cloud setup with difficult Vault access.

High-maintenance, homegrown identity system.

Cumbersome enrollment and identity secret management.


Saved 3-5 FTE while delivering project 6 months ahead of schedule

Replaced DIY identity system with efficient, policy-based access.

Streamlined credential management, enhancing security.

Aembit logo

The Environment

The retailer has a complex multi-cloud and on-premises environment running hundreds of applications in Kubernetes, as well as virtual machines. They also have thousands of retail locations in addition to ecommerce operations, all of which must securely interact with other key applications and sensitive data stores.

The Problem

The organization knew that in a dynamic, continually changing environment, they needed to create a stronger identity control plane to secure access among applications.

It knew that a critical place to begin was providing simpler and secure access to HashiCorp Vault. Like any other business, its Vault represents highly sensitive data that, if compromised, could provide an attacker with the ability to move throughout the organization’s systems and capture sensitive information. Securing Vault access was particularly challenging given that access to Vault is required across clouds and from retail locations.

Currently access Vault requires two steps:

  1. Getting the workload an identity secret that will authenticate it to Vault – often called the “ Secret Zero” or bootstrap problem;
  2. Enrolling the workload in Vault, so the workload will have the right access rights when it accesses Vault.

The organization developed their own system to address both the Secret Zero problem and enrollment into Vault. However, this system required significant developer maintenance and more development as the workload footprint grew larger, and as it became more complex, across more compute environments (more types of workloads, Kubernetes, VMs, OSes).

The Solution & Benefits

The organization deployed Aembit as its Workload IAM platform. The first project was to secure access to Vault and reduce the ongoing cost of implementation and maintenance with the associated infrastructure.

Concrete Business Outcomes

Aembit was implemented alongside a project to implement new critical infrastructure. In doing so, the business saved 3-5 FTEs by using Aembit to provide secure workload access as-a-service. And by repurposing those talented people, the business delivered the project 6 months ahead of schedule. 

Finally, the company was able to decommission their DIY solution, which means lower cost and simpler ongoing management.

Implementation also drove a number of critical technical benefits:

Solve Secret Zero

Using Aembit’s ability to cryptographically attest to the identity of applications, the retailer eliminated the need for a bootstrap secret. Based on identity (but without a secret), Aembit provides a dynamic access credential for the workload to access Vault.

Solve Enrollment

Instead of enrolling each new workload in Vault, Aembit issues short-lived credentials (JWTs) that authorize access to Vault with claims that limit access to the right set of secrets. Moving from a token that only represents identity to a credential that includes access rights simplifies the workflow and makes policies more dynamic.

Eliminate the DIY Identity System

The company now uses Aembit to provide policy based access to Vault, eliminating the need for the homegrown identity system. This eliminates the need for the company to maintain and upgrade their previous system, and gives them the benefit of Aembit’s ongoing engineering innovations.

Securely Provide Multi-Cloud Access to Vault

Although Vault supports access based on native cloud identity (attestation), this becomes difficult across clouds. Vault may be able to authenticate workloads in the same cloud, but cannot authenticate workloads in another cloud. Aembit solves this, by being the workload IDP between workloads and Vault, using the native identity of the Workload from whichever cloud it is in, and granting the workload an appropriate access credential to Vault with the right access claims based on policy.

Simplify Credential Management

Aembit enables identity-based access to resources while eliminating the need for workloads to store a sensitive Vault credential. Aembit continually verifies the identity of the application and provides an access token. This reduces attack surface and radically simplifies credential management.

Future Plans

The retailer’s deployment of Aembit can now be used to secure access to other sensitive applications beyond Vault, and can be used to provide a single workload-to-workload access management system across the organization.

Ready to try Workload IAM?

Get started in minutes, with no sales calls required. Our free-forever tier is just a click away.