HashiCorp Vault provides centralized secrets management, encryption as a service, and identity-based access. It eliminates hardcoded secrets and provides audit trails for all secret access.
Vault Setup
# Enable KV secrets engine
vault secrets enable -path=secret kv-v2
# Store secret
vault kv put secret/myapp/db username=admin password=secret123Kubernetes Integration
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vault-secrets
spec:
provider: vault
parameters:
vaultAddress: "https://vault:8200"
roleName: "myapp"
objects: |
- objectName: "db-password"
secretPath: "secret/data/myapp/db"
secretKey: "password"Dynamic Secrets
# Enable database secrets engine
vault secrets enable database
vault write database/config/mydb \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@db:5432" \
allowed_roles="readonly"Dynamic secrets are generated on-demand and automatically revoked, eliminating long-lived credentials.
