Sign in Subscribe
By Sahil Kapoor -

HashiCorp Vault

An open-source secrets management tool that centrally stores, controls access to, and dynamically generates credentials — replacing scattered environment variables and hardcoded secrets.

HashiCorp Vault is the de facto secrets management solution for production infrastructure. Instead of storing database passwords in environment variables, AWS keys in CI/CD pipelines, and API tokens scattered across services, Vault centralizes secrets with fine-grained access control, audit logging, and dynamic credential generation.

Core Concepts

  • Secrets Engines — plugins that handle different secret types (KV store, database credentials, PKI certificates, AWS/GCP/Azure IAM credentials, SSH keys)
  • Auth Methods — how identities are verified (Kubernetes service accounts, AWS IAM, LDAP, GitHub tokens, AppRole for services)
  • Policies — HCL rules that define what paths a given identity can read/write/list
  • Leases and Renewal — credentials have TTLs; Vault revokes them when leases expire

Dynamic Credentials

Vault's most powerful feature is dynamic secrets. Instead of storing a long-lived PostgreSQL password, Vault creates a temporary database user with limited permissions when a service requests it — and deletes that user when the lease expires. Compromised credentials are short-lived and scoped.

# Request dynamic PostgreSQL credentials
vault read database/creds/my-app-role
# Returns: username=v-app-xyz, password=A1b2C3d4, lease_duration=1h

Kubernetes Integration

Vault integrates tightly with Kubernetes via the Vault Agent Injector (sidecar) and the Vault Secrets Operator (CSI driver). Services running in Kubernetes authenticate using their pod's service account token, and Vault injects secrets directly into the pod's filesystem — no secret ever touches a Kubernetes Secret object (which is only base64-encoded, not encrypted at rest by default).

PKI and Certificate Management

Vault's PKI secrets engine is a full internal certificate authority — issue TLS certificates for internal services automatically, with short TTLs and automated renewal. This enables mTLS between microservices without managing a certificate authority manually.

Vault vs AWS Secrets Manager

  • AWS Secrets Manager — managed, no ops overhead, AWS-native, costs per secret per month
  • Vault — self-hosted, multi-cloud, dynamic credentials, PKI, more complex to operate

For AWS-only shops, AWS Secrets Manager is simpler. For multi-cloud or on-premises environments with dynamic credential needs, Vault is the right tool.

  • Kubernetes — primary deployment target; Vault integrates via service account auth
  • Tailscale — provides network-level access control complementing Vault's secret-level control
  • Argocd — GitOps delivery that uses Vault-injected secrets for app configs
  • Pulumi — Pulumi ESC integrates with Vault for IaC secret management

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon