Vault partner program

Official partner integrations provide a verified and seamless user experience for mutual customers. Partners with verified runtime integrations or proprietary plugins receive one or both of the following partner badges for use on the associated product documentation to provide visibility and differentiation to customers.

Vault Enterprise Verified integrations must work with Vault Enterprise features such as namespaces, HSM support, or key management.

HCP Vault Verified integrations must work with HCP Vault Dedicated.

Partner integration options

Runtime integrations use Vault as part of the identity or security workflow of a partner product. Runtime integrations typically allow users to provide information about their existing Vault deployment so the partner application or platform can retrieve and use information stored in Vault. With runtime integrations, Vault can store and provide access to secrets, issue and manage PKI certificates, or act as an external key management system for the partner system.

Runtime integrations often require modifying the partner product to become Vault aware in the following ways:

The application understands and supports the Vault concept of namespaces.
The application understands the Vault authentication workflow and can properly authenticate itself to Vault.

Token authentication is not appropriate for production

We cannot verify your integration as production-ready unless your product supports at least one authN method aside from tokens. Manually generated, long-lived tokens violate security best practice and pose a security risk.

Partner process overview

The Vault integration development process typically moves through the following steps:

Engage - You contact HashiCorp and express interest in developing an official partner integration.
Enable - You review the relevant product documentation and articles related to the functionality of your integration.
Develop and test - You develop and test your integration.
Review - An iterative process during which HashiCorp reviews your integration and provides feedback.
Release - HashiCorp verifies the integration and, once you execute the HashiCorp technology partnership agreement, HashiCorp adds your information to the Vault integration listing.
Support - You provide ongoing maintenance and support of your integration.

Development Process

Get help

If you have questions or feedback about the partner process, please contact us at: technologypartners@hashicorp.com

Step 1: Engage with HashiCorp

Fill out the Vault integration program intake form to start the process.

We use the intake form to track your integration as you move through the partner process and notify you of any known, overlapping work in process by HashiCorp or the Vault community.

Vault has a large and active ecosystem of partners that be working on a similar integration. As much as possible, we try to connect similar parties to avoid duplicate work.

Step 2: Enable your development

While not mandatory, we strongly encourage you to sign a mutual non-disclosure agreement (MNDA) to allow for open dialog and sharing of ideas between you and HashiCorp during the integration process.

We also recommend reviewing similar integrations before you start development:

Current partner integrations by current partners.
Sample runtime integrations:
- F5
- ServiceNow
Ask questions in the Vault Community Forum

Adopting similar structures and coding patterns can help expedite the review and release process for your integration.

Integrating with HCP Vault Dedicated

You can spin up a test instance of HCP Vault Dedicated to help with development. HCP Vault Dedicated is a turn-key managed service that requires minimal configuration to get started and we provide new users using the development cluster with an initial credit.

Step 3: Develop and test your integration

Requirements for all integrations:

You must have appropriate documentation so users can use your integration successfully.
You must support namespaces. The main, top-level namespace in HCP Vault Dedicated is admin. The main, top-level namespace in Vault Enterprise is root. Vault Community Edition does not support namespaces.
HCP Vault Dedicated integrations must be runnable on AWS. Currently, HCP Vault Dedicated only runs on AWS and must be able to communicate with your integration using a private peered connection through a HashiCorp virtual network.

Requirements for runtime integrations:

Support at least one authentication method besides standard tokens. We strongly recommend using one of the following methods, which automatically create short lived tokens:
Allow flexible mount paths for secrets engines.

Recommendations for runtime integrations:

Review the audit process and device options in Vault.
Review the current Vault authN methods documentation.
For HSM integrations, review the current HSM support in Vault.
For HSM integrations, review the available PKCS#11 configuration options.

Recommendations for proprietary authentication plugins:

Write your plugin in Go. Vault builds from Go code and the integration development process is more straightforward when you follow the same structures and coding patterns.
Review the audit process and device options in Vault.
Review documentation for current authentication plugins.
Read the Building a Vault Secure Plugin blog post.
Review authN plugin samples for common patterns and objects.

Step 4: Complete the partner review process

Once you have a working integration, send your test results and documentation to technologypartners@hashicorp.com to schedule an initial review. You must provide HashiCorp with test credentials for the underlying infrastructure and be able to demo the integration to HashiCorp representatives.

During review, we use your documentation to test the integration against self-managed Vault and HCP Vault Dedicated to provide feedback. The review process is iterative and may take multiple rounds to complete.

To complete the review process you must:

Address all concerns or problems identified by the HashiCorp team.
Sign the HashiCorp Technology Partner Agreement
Review any applicable logo guidelines and your partner listing.
Communicate your plan to support your integration and respond to customer issues.

Step 5: Release your integration

Once we verify your integration code, documentation, and support plan, and you sign the partner agreement, you can officially release your partner integration.

For HCP Vault Dedicated integrations, we issue and display the HCP Vault Verified badges on your partner page.
For Vault Enterprise or Community Edition integrations, we recommend hosting your proprietary plugin on Github in addition to the official listing on the dedicated HashiCorp partners page to make it easier for customers to find and download your integration. You can also list you plugin on the Vault Integrations page by opening a PR to update the vault folder in the hashicorp/integrations GitHub repo.

Step 6: Support your integration

We view your integration release as the first step in enabling users to leverage your product in their infrastructure.

We expect partners to provide on-going support for their integrations in line with the following SLAs:

Track and resolve critical issues within 48 hours
Track and resolve non-critical issues within 5 business days.

We cannot verify integrations that lack active support and will not list those integrations on our partner pages.