Skip to content

Sam Gabrail – Platform Engineer

Akeyless vs HashiCorp Vault

If you’ve known me for any length of time, you’ll know how much I like HashiCorp Vault. However, recently I started to look into Akeyless, and I’m quite impressed by what it has to offer. In my opinion, Akeyless is the top alternative today to HashiCorp Vault. In this video, I’ll walk you through ten unique akeyless features that are not found in HashiCorp Vault. My name is Sam Gabrail, and let’s get started. First up is the idea of automating rotated secrets and rotated secrets is a concept not available in HashiCorp Vault explicitly.

And the idea here is that this is the secret that Akeyless uses to connect to an external third party service. So if you go to new and look for rotated secret, you’ll see that there are a number of databases that Akeyless can connect to, Cassandra, Redis, Redshift, Snowflake, clouds, your three major clouds, operating systems, infrastructure like Docker Hub, LDAP, or web. So once you have this connection in place, you can rotate the secret. So if I look at the Azure rotated secret here, for example, here’s my credentials, client ID, tenant ID, client secret, and so on.

And now what I can do is I can manually rotate the secret, which HashiCorp, for the most part, can do as well in terms of its connection to that third party. But, more than that, you can hear an Akeyless use an automation mechanism where you can rotate the secret on an interval base. So you can see here, I’m rotating every ninety days. You can change that as well.

Every ninety days at ten o’clock is what I’m doing here or you can do manual only. Right? This is really key because we’re trying to make sure that we don’t have any kind of long lived credentials of any kind, even the ones that Akeyless has to those external third party systems. So automated rotated secrets is really key here.

Continuing our conversation around short lived credentials, dynamic secrets are key. Right? And of course, HashiCorp Vault has a bunch of dynamic secrets, Akeyless as well. But the more I find connections into third party systems to create these dynamic secrets, the the better off we all are.

And I can see here there are quite a bit of dynamic secrets that Akeyless has. RDP, Docker Hub, ping client stand out as three that are not available in HashiCorp Vault. I’m quite impressed with the actual Akeyless UI and how easy it is to create things just with the UI as you can see here. Now, of course, it’s not my preferred way of using any kind of software.

You always wanna use infrastructure as code, and Akeyless, of course, has a Terraform provider that you can use. But just know that the more we see dynamic secrets such as RDP, as we see here, we’ve got a ping client. I see Artifactory, Chef Infra, Docker Hub, and so on, the better off we are because, again, we don’t want any long lived credentials in our environment. Third on our list is custom targets.

And custom targets really simplify resource and credential management, organizing endpoints in Akeyless and eliminating manual credential updates.

It really helps with operational efficiency, which is not available in HashiCorp Vault.

But as you can see here, what you do is you create a target and there are multiple targets that we saw before for the different third party systems that we have here. So you create the target ahead of time. And once you create the target, then you can create other items. And if you see here this AWS, target, if I look at the associated items, I have a dynamic secret.

I have a universal secret connector. I have rotated secrets. So once you’ve identified this target, now you can associate these items with. So from a configuration perspective, it makes things much easier for me.

So you can see Azure, same thing. I have a bunch of items associated with it. My Postgres database, I probably don’t have anything here just yet, but again, if I wanna create a dynamic secret, for example, I can go to items, dynamic secret, and let’s say we said Postgres. So Postgres.

And then from here you can see, the target mode. You can choose an existing target or you can explicitly specify target properties. So it’s easier to just use an existing target that can be used over and over again for, for different things. In this case, I’m using it in a dynamic secret for my database.

Next, we’ll talk about secrets sharing. I like this feature. You can go into any of the secrets that you have. Let’s say this static secret that I have here.

And at the top, you can click share and provide you an email address of one of your colleagues, for example.

And, you can specify how long you want the secret to be valid for. So let’s say one hour.

You can also say one time view and get a shareable link, and this link is available for the next one hour. So if I open an incognito window and copy this, let’s take a look. It says someone shared an item with you on Akeyless platform. To view it, please verify your email address. Let me give it a wrong email address. Let’s just see what happens.

A link to the secret has been sent to your email.

Let’s check my email real quick.

And nothing shows up in my email.

So let’s do this again with a proper email.

I now see an email and there’s a link in the email, takes me to this site, and I can view I can view this secret right here, and I don’t see anything else in Akeyless.

So it was just that secret that was shared with me. So this is a really, really cool feature.

Now let’s take a look at my favorite feature in Akeyless, and this is the universal identity that really solves that secret zero problem that you might run into for on prem deployments.

Now Vault or HashiCorp Vault’s solution to that is using Approll with a Vault agent and have a few videos talking about that you can check out. But there are some issues with that when it comes to rebooting the agent and and stuff like that. So Akeyless actually solves this problem with universal identity or UID.

So you can quickly look here. If you go under authentication, users and auth methods, click new, universal identity, you can go ahead and configure that. And I’m probably gonna have a separate video talking about UID and giving a demo, but just know that this is the flow and it’s quite simple. An admin creates a new UID auth method just like I just showed in the previous screen, through the Akeyless SaaS.

And then the Akeyless SaaS will respond with an acknowledgment, of course, and then the admin generates this initial UID token. We’ll call it U token and loads it in the application.

And then this is the client or the application in this case, runs the off command using that UID iniT token that we started with. The Sass responds with a JWT token, we’ll call it the T token, and then the client runs commands using this T token. And then you can see here is a rotate UID token at some point. The client rotates this UID using that u token, and then it gets an ack plus a new u token and then continues to run off commands with this new u token.

And then we keep rotating that initial token, of course, gets rotated as we go along. But in case of a a reboot or something like that, that’s not a problem. We continue to, work seamlessly. So once again, I’ll create a video separately just talking about UID, but this is an excellent feature, excellent solution to that secret zero problem for on premises environments where the platform doesn’t give an identity to the resources that it spins up.

Something like VMware, for example, doesn’t give you an identity, whereas the clouds, of course, like AWS or Azure GCP gives identities to the resources that they spin up.

In number six, we have a password manager from Akeyless, and, it has a mobile app for iOS. You can see on the screen here, and there’s one for Android.

So that’s really cool. They also have a Chrome extension and Edge extension and also a Firefox extension.

So you can actually use this as your personal password manager and use your personal secrets in here that will not be available to anybody else. So you can add new items. I have my Keyless admin email password here as well. I can add favorites. You can also access the corporate secrets from here. So if I go back and look at my hello secret, I can view it directly here.

In addition to that, I can actually for AWS, I can launch. So if I show the value here, this will show me a temporary dynamic secret for accessing AWS with a username and password, also an access key ID and a secret access key. See, it expires in three hours. I can also launch this directly. So what this will do, it will launch the AWS console and log me in with those dynamic temporary credentials directly, which is pretty neat.

As you can see here, I’m logging in to the AWS console.

And if I look at the top here is my temporary user, temp dot samGabrail at TeKanaid.

So you can see that I’m already in here with those credentials straight from that password manager. So it’s a really great addition that Akeyless has and supported directly by Akeyless.

Next is secure remote access, which is not available in HashiCorp Vault as the Vault product, but it is available in HashiCorp Boundary.

And there is some integration between Course Boundary and Vault, but I like how this is a licensed feature in Akeyless and pretty much integrated in the Akeyless product as a whole. And as you can see here, you can expose different access to different resources. I have SSH to a couple of resources, PostgreSQL, I can directly access the database, RDP into a Windows machine, and also Azure portal.

So I can quickly SSH into one of my target machines here as this one and go in and get a CLI.

And I’m already connected here.

And, of course, I can go into this date Postgres database as well. I can connect through with a web portal.

And you kinda get the idea here.

And now I’m in a Windows machine as you can see. So, again, it’s great to see secure mode access as part of the Akeyless solution well integrated into the product.

Coming in at number eight is automatic secrets migration, and Akeyless does a great job in helping us to migrate from other secret managers.

And if you go into your gateway and go under automatic migration, there’s a list of different secret managers you can migrate from into Akeyless.

Here’s AWS secret manager, for example. If you click add, you can follow the instructions here, pretty simple, and you can start migrating from AWS secrets manager. I had to write an actual script, a Python script to migrate from AWS secret manager over to HashiCorp Vault a while ago, so it’s nice to see this already done for us in Akeyless. There is, of course, active directory, Azure Key Vault, GCP secrets manager, Kubernetes secrets, and HashiCorp Vault as well. So if you wanna migrate from HashiCorp Vault, you can go ahead and, and do that. One password server in inventory and so on. So Akeyless did a really good job in helping us to migrate from any of these secrets managers over to Akeyless.

Next on our list is the universal secrets connector. Think of it as a manager of managers. Now you can have Akeyless access multiple other secrets managers like AWS secrets manager, for example. And there are some use cases where you have other teams that just can’t use Akeyless, for example, and they have to use AWS secrets manager.

So we can still have a two way sync between those secrets managers. So what you can do is you can go under items and new universal secrets connector. There is support for AWS, Azure, GCP, and Kubernetes secrets. So AWS, for example, you select that, and you go through and apply the configuration.

I already have something running, so let’s go ahead and take a look under AWS and view all secrets.

You see that I already have two secrets, secret one and two.

We can view secret one, foobar, secret two, my secret. And if I open my AWS console, I can also see the same thing here.

foobar and secret two, I’ve got my secret.

And it is a two way sync, so if I go ahead and decide to delete secret two, for example, That will show up that I’ve actually deleted it.

I’ve deleted the secret from AWS secret manager, and it’s reflected here in Akeyless, I can also create a new secret. Let’s call it secret three.

And let’s give it a value of let’s give it a key value pair of my new secret.

Save that.

And now let’s go to AWS and already we see secret three show up here, retrieve secret value, and my new secret, is available. So we can see we have a two way sync between Akeyless and the other secret managers that it supports, which is great for some of those use cases that I mentioned earlier.

Finally, we come to our last feature in Akeyless, and that is the reporting feature. I mentioned that I really liked the Akeyless UI and the team put a lot of effort into the front end UI.

And out of the box, Akeyless gives you a lot of analytics that you can see here that is not available in the HashiCorp vault.

You’d have to send that to Splunk for example or some other monitoring tool. Out of the box, you can see quite a lot of things in Akeyless.

You still might want to send logs over and metrics to some other system that you might have for sure. But out of the box, you can already see quite a lot of things. So analytics items, you can see total items we have here, current requests location.

You can see in the last week, for example, where the requests were coming from, a request by action type. Let’s see. Last week, some of their different requests that were coming through.

Request volume, response time. Can also look at certificates.

What certificates are expired, high risk, medium risk, low risk, healthy, total number of certificates in the environment.

You can take a look at the audit logs as well. So I can see every single audit log. I can filter through here and go in and take a closer look at all my audit logs straight from the UI.

But what I also love is the event center. You can go into open event center and you can see all the different events that have happened.

And I can filter here for example, and see certificates that are about to expire and filter on that and see this particular certificate that’s about to expire. You can also see some of your usage reports as well with some pretty graphs. So it’s really nice to see this available out of the box.

As we’ve seen, Akeyless is a compelling alternative to HashiCorp Vault with its SaaS first approach. I encourage you to take a closer look at Akeyless.

I have two videos. One is a general demo of all the Akeyless features, and the other one talks about DFC, which is their patented technology that allows you to trust the SaaS secrets manager. I find it quite compelling. Thank you for watching.

  • EncryptionKeyManagement_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_EasiestAdmin_Enterprise_EaseOfAdmin
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Enterprise_Nps

© 2025 AKEYLESS. All rights reserved