# Secret Management on HashiCorp Vault ![Vault secret management flow](/files/EVQoZamRhy6FWEFJBQU1) > **Intro:** Secret managers exist because CI variables, repo files, and host-level config files stop scaling safely once environments and teams multiply. ## What Vault does Vault is a secret-management control plane that supports: * static secrets through **KV** engines * **dynamic secrets** on demand * **transit** encryption and signing workflows * **PKI** issuance * policy-based access and audit logging ## How it works 1. a client authenticates through token, AppRole, Kubernetes auth, OIDC/JWT, or cloud auth 2. Vault maps identity to policies 3. Vault returns a secret, a lease, or performs a crypto action 4. audit devices record the action 5. credentials can expire and be revoked ## Basic lab install ```bash curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list sudo apt-get update && sudo apt-get install -y vault ``` ```hcl ui = true listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 } storage "file" { path = "/opt/vault/data" } api_addr = "http://127.0.0.1:8200" disable_mlock = true ``` ## Basic init and KV v2 use ```bash export VAULT_ADDR='http://127.0.0.1:8200' vault operator init vault operator unseal vault login vault secrets enable -path=secret kv-v2 vault kv put secret/payments/api username="svc-payments" password="REPLACE_ME" vault kv patch secret/payments/api password="ROTATED_VALUE" ``` ## Kubernetes auth example ```bash vault auth enable kubernetes vault write auth/kubernetes/config kubernetes_host="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" vault write auth/kubernetes/role/payments-api bound_service_account_names=payments-api bound_service_account_namespaces=payments policies=payments-app ttl=1h ``` ## HA with Raft ```hcl storage "raft" { path = "/vault/data" node_id = "vault-1" retry_join { leader_api_addr = "https://vault-0.internal:8200" } retry_join { leader_api_addr = "https://vault-1.internal:8200" } retry_join { leader_api_addr = "https://vault-2.internal:8200" } } api_addr = "https://vault-1.internal:8200" cluster_addr = "https://vault-1.internal:8201" disable_mlock = true ``` ## Common mistakes * using dev mode outside local experimentation * no TLS in production paths * one shared root token for operators * no audit devices * static secrets only where dynamic leases would help * no restore testing for snapshots ## Cross-links * [⚙️ Vault Installation, HA, and Automation Pack](/cloud-kubernetes-and-infrastructure-security/index/vault-installation-ha-and-automation-pack.md) * [🛡️ Security as Policy for Terraform and Infrastructure as Code](/cloud-kubernetes-and-infrastructure-security/index/security-as-policy-for-iac.md) ![Footer](/files/fQNzMAKOWjRP989toSYF) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index/vault-secret-management-on-hashicorp-vault.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.