Why HashiCorp Vault
Vault centralizes secrets management — API keys, database credentials, certificates, encryption keys. Dynamic secrets, automatic rotation, fine-grained access control.
Quick Start
# Dev mode
vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'
Store and Retrieve Secrets
# Write a secret
vault kv put secret/myapp db_password=SuperSecret123 api_key=abc123
# Read a secret
vault kv get secret/myapp
vault kv get -field=db_password secret/myapp
Dynamic Database Credentials
# Configure database secrets engine
vault secrets enable database
vault write database/config/mydb \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@db:5432/mydb" \
allowed_roles="readonly" \
username="vault" \
password="vault-password"
vault write database/roles/readonly \
db_name=mydb \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
# Get dynamic credentials
vault read database/creds/readonly
Every request gets unique credentials. Auto-revoked after TTL.
Kubernetes Integration
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vault-secrets
spec:
provider: vault
parameters:
roleName: myapp
vaultAddress: http://vault:8200
objects: |
- objectName: "db-password"
secretPath: "secret/data/myapp"
secretKey: "db_password"
Key Features
- Dynamic secrets — unique credentials per request
- Encryption as a service — encrypt data without managing keys
- PKI — issue TLS certificates programmatically
- Identity — tokens, AppRole, Kubernetes, LDAP, OIDC
- Audit — every secret access logged
- Open source — BSL license
Resources
Need to audit secrets, extract security configs, or manage credentials? Check out my Apify tools or email spinov001@gmail.com for custom solutions.
Top comments (0)