2026
HashiCorp Vault: Secrets Management Done Right
Static credentials stored in config files and environment variables are a liability waiting to surface. Vault replaces them with dynamic, short-lived secrets, centralised access control and a full audit trail of who touched what.
Secrets end up in the wrong places. A database password committed to a repository. An API key hardcoded into a deployment script. A shared credential that has not been rotated in three years because nobody is sure what depends on it. These situations are common. Most organisations reach a point where the number of secrets in circulation is high enough that tracking them manually stops being feasible.
HashiCorp Vault is a tool built around the problem of secrets management. It provides a central place to store, generate, control access to and audit the use of secrets across an infrastructure. The goal is not just to keep secrets in one place. It is to make it possible to know who accessed what, when, to issue credentials that expire automatically, to revoke access instantly when something goes wrong.
What the problem actually looks like
The conventional approach to secrets is to store them somewhere and hope that somewhere stays controlled. Environment variables in a deployment pipeline. A shared password manager. A config file on the server. An encrypted secrets store in the cloud provider. These approaches work up to a point, but they share a common weakness: the secret exists as a static value that gets copied from wherever it lives into wherever it is needed.
Static secrets tend to persist long past their intended lifespan. A credential provisioned for a service that was decommissioned two years ago might still be valid. A database password shared between three services cannot be rotated without coordinating across all three at once. When a breach happens and you need to revoke credentials quickly, the question of what has access to what is often harder to answer than it should be.
Vault approaches this differently by treating secrets as something that should be generated on demand, issued with a defined lifespan and revoked automatically rather than stored indefinitely and passed around manually.
How Vault is structured
Vault organises everything around paths. Secrets live at paths. Auth methods are mounted at paths. Policies refer to paths. This gives Vault a consistent addressing model regardless of what kind of secret or operation is involved.
Example Vault path structure
secret/data/production/db-password
KV engine mounted at secret/, reading key db-password under production/
database/creds/readonly-role
Database engine mounted at database/, generating credentials for readonly-role
aws/creds/deploy-role
AWS engine mounted at aws/, generating temporary IAM credentials for deploy-role
auth/kubernetes/login
Kubernetes auth method mounted at auth/kubernetes/
Policies are written in HCL and grant capabilities on paths. A policy that allows read on secret/data/production/* lets the token holder read any secret under that prefix. Capabilities include read, write, delete, list and create. Tokens can have multiple policies attached. The union of all capabilities from all attached policies determines what the token can do.
Secrets engines
Secrets engines are the plugins that handle different categories of secret. Each engine is mounted at a path. Some engines store data you write to them. Others generate data dynamically when you make a request.
KV (Key/Value)
The simplest engine. You write a secret at a path and read it back later. Version 2 adds full revision history so you can see what a secret looked like at any point in time. Useful for static credentials and configuration values that do not change often.
Database
Vault connects directly to a database and generates short-lived credentials on demand. Every service that asks gets its own username with its own expiry. When the lease expires Vault revokes the credentials. No long-lived shared passwords sitting in config files.
AWS
Generates temporary IAM credentials tied to a specific policy. The application gets an access key that expires after a configurable period. Vault handles the AWS API calls to create them. The application never touches a long-lived IAM user key.
PKI
Vault acts as a certificate authority. Applications request certificates at runtime and receive short-lived leaf certificates signed by Vault. Rotating the CA or revoking certificates becomes an operational task in Vault rather than a manual process across every service.
Transit
Encryption as a service. Your application sends plaintext to Vault and receives ciphertext back. Vault holds the key. The application never touches raw key material. Useful when you want encryption without distributing key management responsibilities to every team.
Dynamic secrets
The most consequential thing Vault can do is generate credentials that did not exist before the request. A service asks Vault for database access. Vault calls the database, creates a user with the right permissions and hands back a username and password. That credential exists for as long as the lease is valid. When the lease expires, Vault calls the database again and drops the user.
Dynamic secret lifecycle
Service requests credentials
↓ Vault generates a unique credential in the target system
Vault returns credentials with a lease ID and TTL
↓ Service uses the credentials for the duration of its work
Service renews the lease if it needs more time
↓ Vault extends the TTL up to the configured maximum
Lease expires or is revoked
↓ Vault deletes the credential from the target system
Credential no longer exists anywhere
The consequence of this model is that credential exposure becomes time-bounded. A leaked database username from a dynamic secrets engine is valid for at most as long as the lease TTL. There is no long-lived shared password to rotate. If a service is compromised, its credentials can be revoked by revoking the lease rather than rotating a password that might be stored in other places.
Authentication methods
Before Vault will issue anything, the client has to prove who it is. Auth methods handle this. Different auth methods suit different contexts. A human operator logs in differently than a Kubernetes pod.
AppRole
Service-to-service auth. A role ID and secret ID are issued separately. The application combines them to log in. Commonly used in CI pipelines and automated deployments where there is no human identity to authenticate against.
Kubernetes
Pods authenticate using their service account JWT. Vault validates the token against the Kubernetes API. No static credentials are needed in the pod. The identity is derived from the Kubernetes identity already present in the runtime environment.
AWS IAM
An EC2 instance or Lambda function proves its identity by signing a request using its instance profile. Vault verifies the signature with AWS. The instance gets a Vault token without any credential being provisioned ahead of time.
LDAP / OIDC
Human operators authenticate using existing identity providers. OIDC lets Vault delegate to any compliant provider such as Google Workspace or Okta. Operators log in with credentials they already manage rather than a separate Vault password.
Successful authentication returns a token. Everything in Vault from that point forward happens through the token. Tokens carry the policies that govern what the holder can do. They have a TTL. They can be set to expire after a certain number of uses. Orphaned tokens whose parent was revoked can be set to expire automatically.
The token lifecycle
Tokens are the currency of Vault access. Everything flows through them.
Client authenticates
Using whichever auth method is configured for their identity type
Vault issues a token
Token has a TTL, a set of policies attached and optionally a use count
Client makes requests
Every API call includes the token. Vault checks the attached policies before responding
Token renewed or expires
Short-lived tokens force rotation. Dynamic secrets tied to the token are revoked when it expires
Seal and unseal
When Vault starts it is sealed. In a sealed state it knows where its encrypted data lives but it does not have the key to decrypt it. The data is inaccessible. No secrets can be read. No auth can succeed. Vault has to be unsealed before it can do anything.
Unsealing requires providing enough key material to reconstruct the master key. By default Vault uses Shamir secret sharing: the master key is split into N shares and any K of them must be provided together to reconstruct it. An operator with a single key share cannot unseal Vault alone. This prevents any one person from having unilateral access to the underlying key material.
Auto-unseal via a cloud KMS
# vault.hcl
seal "awskms" {
region = "eu-west-1"
kms_key_id = "mrk-abc1234..."
}
In production most teams use auto-unseal. Vault delegates the unsealing step to a cloud KMS such as AWS KMS, Google Cloud KMS or Azure Key Vault. When Vault restarts it calls the KMS to decrypt the master key automatically. Human operators are no longer in the critical path for a service restart. The security boundary shifts to access control on the KMS key rather than physical custody of key shares.
Audit logging
Every request to Vault is logged. Every authentication attempt, every secret read, every failed access. The audit log records who made the request, what path they accessed, what the result was. Secret values themselves are hashed in the log rather than written in plaintext.
This is one of the more underrated features. A centralised secrets store is also a centralised audit trail for secret access. If a breach is suspected, the audit log tells you which token accessed which secret during which window. That kind of forensic capability is genuinely hard to build when secrets are scattered across environment variables, config files and a shared password manager.
Vault requires at least one audit device to be enabled before it will operate. If all audit devices are unavailable Vault stops responding to requests rather than continuing without logging. The tradeoff is deliberate: availability is sacrificed to preserve the audit guarantee.
Where it fits
Vault is not a simple tool to operate. It has a learning curve. The conceptual model of paths, engines, auth methods and policies takes time to internalise. Running it in production means thinking about high availability, storage backends, unsealing strategy and audit device availability. These are real operational concerns.
What it gives back is worth the investment at a certain scale. Once infrastructure grows past the point where you can manually track every credential, Vault provides a coherent answer to where secrets come from, who can access them, how long they last and what happened to them. Those questions matter most during an incident when the pressure to act quickly can easily make a bad situation worse if the answers are unclear.
The most immediate impact for most teams is usually replacing static database credentials with the database secrets engine. The operational overhead is low once configured. The improvement in posture is real: every credential that was shared, manually rotated and impossible to fully revoke becomes a short-lived credential with a known lifespan that disappears automatically.