You deploy Vault on a cloud platform such as AWS, Google Cloud Platform, or Azure, or use the Piiano managed SaaS option which is hosted on AWS. On these platforms, Vault can be deployed as a server or serverless. For example, on Google Cloud Platform Vault can be deployed as a serverless service using Cloud Run.
Vault is implemented using two services: a Control service for making control changes such as IAM configuration and schema changes, and a Data service for CRUD operations on data.
The main elements in a Vault deployment are:
- The Vault server. There can be one server running both services, or the services may be deployed separately.
- The backend database. For example, Postgres RDS.
- A Key Management Service (KMS).
- A load balancer or API gateway to manage access to the Vault services.
This diagram shows an example of the high-level architecture in an AWS deployment.
An Amazon Elastic Container Service (Amazon ECS) based deployment:
A Google Cloud Platform Cloud Run based deployment: