HashiCorp Vault is the industry standard for secrets management. It provides a unified API to manage secrets, encryption keys, certificates, and database credentials with fine-grained access control.
What Is Vault?
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, and encryption keys. It handles leasing, key revocation, key rolling, and auditing through a unified API.
Key Features:
- Secrets engine (KV, database, PKI, SSH)
- Dynamic secrets with automatic rotation
- Encryption as a service (Transit engine)
- Identity-based access control
- Audit logging
- High availability
- Kubernetes integration
- Auto-unseal
Quick Start
# Install Vault
brew install vault
# Start dev server
vault server -dev
# In another terminal
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='hvs.xxxxx' # shown in dev output
# Store a secret
vault kv put secret/myapp db_password=supersecret api_key=abc123
# Read it back
vault kv get secret/myapp
Vault API: REST Interface
import requests
VAULT = "http://127.0.0.1:8200/v1"
HEADERS = {"X-Vault-Token": "hvs.your-token"}
# Write a secret
requests.post(f"{VAULT}/secret/data/myapp", headers=HEADERS, json={
"data": {
"db_host": "prod-db.example.com",
"db_password": "supersecret",
"api_key": "sk-abc123"
}
})
# Read a secret
response = requests.get(f"{VAULT}/secret/data/myapp", headers=HEADERS).json()
secrets = response["data"]["data"]
print(f"DB: {secrets['db_host']}, Password: {secrets['db_password']}")
# List all secrets
keys = requests.request("LIST", f"{VAULT}/secret/metadata/", headers=HEADERS).json()
for key in keys["data"]["keys"]:
print(f"Secret: {key}")
Dynamic Database Credentials
# Configure database secrets engine
requests.post(f"{VAULT}/database/config/mydb", headers=HEADERS, json={
"plugin_name": "postgresql-database-plugin",
"connection_url": "postgresql://{{username}}:{{password}}@db:5432/myapp",
"allowed_roles": ["readonly", "readwrite"],
"username": "vault_admin",
"password": "admin_password"
})
# Create role
requests.post(f"{VAULT}/database/roles/readonly", headers=HEADERS, json={
"db_name": "mydb",
"creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
"default_ttl": "1h",
"max_ttl": "24h"
})
# Get dynamic credentials (new user each time!)
creds = requests.get(f"{VAULT}/database/creds/readonly", headers=HEADERS).json()
print(f"Username: {creds['data']['username']}")
print(f"Password: {creds['data']['password']}")
print(f"Expires: {creds['lease_duration']}s")
Transit Engine (Encryption as a Service)
# Create encryption key
requests.post(f"{VAULT}/transit/keys/my-key", headers=HEADERS)
# Encrypt data
import base64
plaintext = base64.b64encode(b"sensitive data").decode()
encrypted = requests.post(f"{VAULT}/transit/encrypt/my-key", headers=HEADERS, json={
"plaintext": plaintext
}).json()
ciphertext = encrypted["data"]["ciphertext"]
print(f"Encrypted: {ciphertext}")
# Decrypt data
decrypted = requests.post(f"{VAULT}/transit/decrypt/my-key", headers=HEADERS, json={
"ciphertext": ciphertext
}).json()
original = base64.b64decode(decrypted["data"]["plaintext"]).decode()
print(f"Decrypted: {original}")
Kubernetes Integration
# Vault Agent Injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "myapp"
vault.hashicorp.com/agent-inject-secret-config: "secret/data/myapp"
spec:
serviceAccountName: myapp
containers:
- name: myapp
image: myapp:latest
# Secrets available at /vault/secrets/config
Resources
- Vault Docs
- Vault GitHub — 31K+ stars
- API Reference
Need to scrape web data securely? Check out my web scraping tools on Apify — production-ready actors for Reddit, Google Maps, and more. Questions? Email me at spinov001@gmail.com
Top comments (0)