https://github.com/17J/30-Days-Cloud-DevSecOps-Journey
What is a Secret?
A secret is any sensitive piece of information used to authenticate or authorize access.
Examples:
Database Password
AWS Access Key
JWT Signing Key
API Token
TLS Certificate
Private Key
OAuth Secret
If a secret gets exposed:
Attacker
β
Application Access
β
Database Access
β
Infrastructure Compromise
What is Secrets Management?
Secrets Management is the process of:
Store
Protect
Rotate
Control
Audit
sensitive credentials securely.
A modern secrets management platform provides:
- Centralized storage
- Encryption
- Access control
- Secret rotation
- Audit logs
- Dynamic credentials
Why Secrets Management Matters
Imagine this scenario:
database:
username: admin
password: Password123
committed into GitHub.
Result:
Developer Pushes Code
β
GitHub Repository
β
Credential Leak
β
Database Breach
This happens more often than people realize.
The Problem with Traditional Secret Storage
Many teams use:
.env Files
Kubernetes Secrets
Configuration Files
Hardcoded Passwords
Problems:
- Difficult rotation
- No audit trail
- Poor access control
- Risk of accidental exposure
- Compliance failures
What is HashiCorp Vault?
HashiCorp Vault is a centralized secrets management platform designed to securely store, access, and manage secrets.
Think of Vault as:
Central Secret Bank
for your infrastructure and applications.
Instead of:
Application
β
Database Password
stored locally,
you use:
Application
β
Vault
β
Database Credentials
Why HashiCorp Created Vault
Modern infrastructure became increasingly complex.
Organizations adopted:
- Kubernetes
- Multi-cloud
- Microservices
- Containers
- CI/CD Pipelines
Suddenly there were thousands of secrets.
Example:
50 Microservices
β
20 Secrets Each
β
1000 Secrets
Managing them manually became impossible.
Vault was created to solve this problem.
Core Features of HashiCorp Vault
1. Centralized Secret Storage
All secrets stored in one location.
Applications
β
HashiCorp Vault
β
Secrets
2. Encryption as a Service
Vault encrypts sensitive data.
Plain Text
β
Encryption
β
Encrypted Secret
3. Dynamic Secrets
One of Vault's most powerful features.
Instead of:
Static Password
Vault generates temporary credentials.
Example:
Application
β
Vault
β
Temporary Database User
β
Expires Automatically
4. Secret Rotation
Vault automatically rotates secrets.
Example:
Old Password
β
Vault Rotation
β
New Password
No manual work required.
5. Audit Logging
Every secret access is logged.
Example:
Who accessed?
When?
What secret?
From where?
Critical for compliance.
6. Fine-Grained Access Control
Not everyone should access every secret.
Vault provides:
Policy-Based Access
Example:
Developer
β
Read Dev Secrets
Production Secrets
β Denied
Image Full
Main Vault Components
Vault Server
Core service responsible for:
- Authentication
- Authorization
- Secret storage
- Encryption
Storage Backend
Stores encrypted secrets.
Examples:
Integrated Storage (Raft)
Consul
AWS DynamoDB
PostgreSQL
Authentication Methods
Vault supports:
- Userpass
- LDAP
- GitHub
- Kubernetes
- AWS IAM
- Azure AD
- OIDC
Example:
Developer
β
GitHub Login
β
Vault
Policies
Vault policies define access permissions.
Example:
path "secret/data/dev/*" {
capabilities = ["read"]
}
Meaning:
Can read dev secrets only
What are Secrets Engines?
Secrets Engines are plugins that generate or store secrets.
Vault ships with many.
KV Secrets Engine
Most common.
Stores:
Username
Password
API Keys
Tokens
Example:
vault kv put secret/app \
username=admin \
password=secret123
Database Secrets Engine
Creates temporary database users.
Example:
Application
β
Vault
β
Temporary PostgreSQL User
Automatically expires later.
PKI Secrets Engine
Issues certificates dynamically.
Example:
Vault
β
TLS Certificate
instead of manually creating certificates.
AWS Secrets Engine
Generates temporary AWS credentials.
Example:
Application
β
Vault
β
AWS IAM Credentials
Dynamic Secrets vs Static Secrets
Static Secret
password123
Exists forever.
Dynamic Secret
Generated
β
Used
β
Automatically Expired
Much safer.
Why Dynamic Secrets Are Important
Static credentials are often stolen.
Dynamic credentials reduce risk because:
Credential Expires
β
Attack Window Reduced
Second Image
Installing Vault in Development Environment
Development mode is useful for learning.
Run Vault Using Docker
docker run \
--cap-add=IPC_LOCK \
-e VAULT_DEV_ROOT_TOKEN_ID=root \
-p 8200:8200 \
hashicorp/vault
Access:
http://localhost:8200
Login:
Token: root
Verify Vault
vault status
Expected output:
Initialized: true
Sealed: false
Store First Secret
vault kv put secret/app \
username=admin \
password=password123
Retrieve:
vault kv get secret/app
Installing Vault in Kubernetes
Most production environments run Vault inside Kubernetes.
Add Helm Repository
helm repo add hashicorp \
https://helm.releases.hashicorp.com
Update Repository
helm repo update
Install Vault
helm install vault hashicorp/vault
Verify:
kubectl get pods
Enable UI
server:
ui:
enabled: true
Production Vault Architecture
Recommended architecture:
Load Balancer
β
Vault Cluster
β
Raft Storage
Multiple replicas:
Vault-1
Vault-2
Vault-3
for high availability.
Vault Auto-Unseal
Without Auto-Unseal:
Vault Restart
β
Manual Unseal Required
Production clusters use:
- AWS KMS
- Azure Key Vault
- GCP KMS
for automatic unsealing.
Vault + Kubernetes Integration
Vault can inject secrets directly into Pods.
Traditional:
env:
DB_PASSWORD: password123
Vault:
Pod
β
Vault Agent
β
Secret Injection
No hardcoded secrets.
Vault Agent Injector
Automatically injects secrets into Pods.
Application Pod
β
Vault Sidecar
β
Secret Available
without storing secrets in Git.
Vault in CI/CD Pipelines
Modern CI/CD:
GitHub Actions
β
Vault Authentication
β
Temporary Secrets
β
Deployment
Benefits:
- No hardcoded credentials
- Automatic rotation
- Auditability
Vault Security Best Practices
Enable TLS
Never expose Vault without HTTPS.
Use Auto-Unseal
Avoid manual operations.
Use Least Privilege Policies
Grant minimum access.
Enable Audit Logs
Track every access.
Use Dynamic Secrets
Avoid static passwords.
Integrate with Identity Provider
Examples:
Azure AD
Okta
GitHub
LDAP
Common Use Cases
Kubernetes Secrets Management
Pods
β
Vault
β
Secrets
Database Credentials
Application
β
Vault
β
Temporary PostgreSQL User
Cloud Credentials
Application
β
Vault
β
AWS IAM Credentials
PKI Certificates
Vault
β
Generate TLS Certificates
Enterprise Vault Architecture
Developers
β
Applications
β
Vault Cluster
β
Policies
β
Secrets Engines
β
Database / Cloud / Certificates
Final Thoughts
Modern infrastructure depends on secrets.
As organizations adopt:
- Kubernetes
- Multi-cloud
- GitOps
- Platform Engineering
- DevSecOps
traditional secret management approaches are no longer sufficient.
HashiCorp Vault solves this problem by providing:
Centralized Storage
Dynamic Secrets
Secret Rotation
Audit Logging
Encryption
Fine-Grained Access Control
For small AWS-only workloads, AWS Secrets Manager may be enough.
For Azure-only environments, Azure Key Vault works well.
But for organizations needing:
Multi-Cloud
Kubernetes
Hybrid Cloud
Advanced Security
HashiCorp Vault remains one of the most powerful and widely adopted secrets management platforms available today.