HashiCorp Vault for Secrets Management: Patterns That Work at Enterprise Scale, Lavkesh Dwivedi

HashiCorp Vault has been the enterprise secrets management standard since its 1.0 release in 2019. Three years of enterprise production experience has produced clear patterns for what works and what does not.

Dynamic secrets as the core pattern

Vault's most powerful feature is dynamic secrets: credentials that are generated on demand and expire after a configured period. A database secret engine generates a unique username and password for each service that requests credentials, revokable and auditable. The service never stores a long-lived credential. If a credential is compromised, it expires automatically. This eliminates the rotation problem that plagues static credentials.

The PKI engine

Vault's PKI secrets engine is a certificate authority that can issue short-lived TLS certificates programmatically. For service-to-service TLS within a microservices architecture, Vault PKI provides certificates that are valid for hours, not years. Cert-manager for Kubernetes integrates with Vault PKI to issue and rotate certificates for Kubernetes workloads automatically.

Kubernetes authentication

Vault's Kubernetes auth method allows workloads running in Kubernetes to authenticate to Vault using their Kubernetes service account token. No pre-provisioned credentials needed: the workload's identity within Kubernetes is used to get a Vault token, which is used to retrieve secrets. This is the correct pattern for Kubernetes-based workloads: no secrets in environment variables or mounted files, all retrieved from Vault at runtime.

The operational complexity

Running Vault in high-availability requires an integrated storage backend (Raft, since Vault 1.4) and an unsealing strategy. Auto-unseal using cloud KMS (AWS KMS, Azure Key Vault) removes the manual unseal process after restarts. The initial configuration of Vault, mount points, policies, auth methods, and the first set of secrets, is a multi-day engineering exercise. The maintenance burden is ongoing: policy updates, engine upgrades, audit log rotation. Vault is powerful but not simple.