Case Study: Bridgewater achieves secure, scalable AWS authentication for Vault with HashiCorp

The HashiCorp Vault AWS IAM backend A deep dive with the author

Bridgewater, the global investment firm that manages about $160 billion for institutional investors, needed a secure way to distribute authentication credentials to applications running on AWS. As it expanded into cloud services like EC2, Lambda, and ECS, it faced the “secure introduction” problem: how to get secrets onto instances without baking them into AMIs, storing them in S3, or relying on brittle external orchestration.

HashiCorp’s Vault AWS IAM auth backend solved this by letting applications authenticate to Vault with native AWS IAM credentials, using signed `sts:GetCallerIdentity` requests and optional server-ID headers for added protection. The result was a more secure, scalable, and future-proof secret management approach with granular auditability, no long-lived secrets, replay protection, and support for any AWS service, helping Bridgewater protect the systems behind its $160 billion platform.