Introducing hvresult: Vault GitOps Simplified

Discover hvresult, ThreatKey's innovative open-source tool designed to simplify Hashicorp Vault access control management. Learn how it streamlines GitOps practices, enhances policy transparency, and eases change control for Vault ACLs. Ideal for teams seeking efficiency in security operations.

At ThreatKey, we're always on the lookout for ways to enhance security practices and streamline our operations. Today, we're excited to introduce a new tool that promises to do just that. Meet hvresult, an open-source utility designed to simplify the management of Hashicorp Vault access controls, making it as effortless as running Vault GitOps was two decades ago. Developed by our own engineer, Mark, hvresult is a testament to our commitment to innovation and security excellence.

What Is hvresult?

hvresult is a versatile tool compatible with macOS, Linux, and Windows that serves two primary functions:

  1. It reveals the capabilities of any entity authenticated to Vault, streamlining the process without requiring any special setup.
  2. It significantly eases the most challenging aspect of managing change control for access control within Hashicorp Vault.

For those familiar with managing Active Directory, hvresult might remind you of gpresult.exe, a utility from the Windows 2000 Resource Kit that displays the effects of Group Policy Objects on a computer or user. Drawing inspiration from this nearly two-decade-old tool, hvresult performs a similar function for Hashicorp Vault ACLs by computing and displaying a Resultant Set of Policy (RSoP).

The Practicality of hvresult

The utility of hvresult becomes apparent when dealing with HCL, the language used for Vault policies. By running a simple command, users can view the RSoP, making it invaluable for debugging permissions issues and refining policy configurations. Here's a glimpse of what hvresult can do:

This functionality has proven essential for our team at ThreatKey, offering clarity and control over our Vault access policies.

Embracing GitOps with hvresult

At ThreatKey, our approach to Vault policy change management is rooted in GitOps. This method leverages tools traditionally used by application developers—such as version control, pull request approval, and continuous integration/deployment—for automating changes to Infrastructure as Code. hvresult shines in this aspect by facilitating the illustration of policy and policy assignment changes within a GitOps repository.

Consider the following example, which demonstrates how hvresult can be used to download policy information to a directory and then utilize git diff to identify changes:

This process not only streamlines the management of policy changes but also enhances transparency and accountability within the team.

Integrating Changes into Workflow

The output of hvresult is designed to be intuitive and GitHub Flavored Markdown compatible, allowing for seamless integration into pull request comments. This feature ensures that reviewers have all the necessary information at their fingertips, facilitating a more efficient review process.

Get Started with hvresult

We believe hvresult will be a game-changer for teams managing Hashicorp Vault access controls, offering unprecedented simplicity and efficiency. To get started with hvresult, download the tool and explore the detailed documentation available at

At ThreatKey, we're proud to contribute to the open-source community and help organizations strengthen their security posture. hvresult is just the beginning, and we look forward to seeing how it will transform Vault GitOps practices across the industry.

Never miss an update.

Subscribe for spam-free updates and articles.
Thanks for subscribing!
Oops! Something went wrong while submitting the form.