Secrets Vault Manager

HashiCorp Vault Patterns

Architecture Decisions

Auth Methods

AppRole — Machine-to-machine authentication for services and batch jobs.

# Enable AppRole
path "auth/approle/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Application-specific role
vault write auth/approle/role/payment-service \
  token_ttl=1h \
  token_max_ttl=4h \
  secret_id_num_uses=1 \
  secret_id_ttl=10m \
  token_policies="payment-service-read"

Kubernetes — Pod-native authentication via service account tokens.

vault write auth/kubernetes/role/api-server \
  bound_service_account_names=api-server \
  bound_service_account_namespaces=production \
  policies=api-server-secrets \
  ttl=1h

OIDC — Human operator access via SSO provider (Okta, Azure AD, Google Workspace).

vault write auth/oidc/role/engineering \
  bound_audiences="vault" \
  allowed_redirect_uris="https://vault.example.com/ui/vault/auth/oidc/oidc/callback" \
  user_claim="email" \
  oidc_scopes="openid,profile,email" \
  policies="engineering-read" \
  ttl=8h

Secret Engines

Policy Design

Follow least-privilege with path-based granularity:

# payment-service-read policy
path "secret/data/production/payment/*" {
  capabilities = ["read"]
}

path "database/creds/payment-readonly" {
  capabilities = ["read"]
}

# Deny access to admin paths explicitly
path "sys/*" {
  capabilities = ["deny"]
}

Policy naming convention: {service}-{access-level} (e.g., payment-service-read, api-gateway-admin).

Cloud Secret Store Integration

Comparison Matrix

When to Use Which

• AWS Secrets Manager: RDS/Aurora credential rotation out of the box. Best when fully on AWS.
• Azure Key Vault: Certificate management strength. Required for Azure AD integrated workloads.
• GCP Secret Manager: Simplest API surface. Best for GKE-native workloads with Workload Identity.
• HashiCorp Vault: Multi-cloud, dynamic secrets, PKI, transit encryption. Best for complex or hybrid environments.

SDK Access Patterns

Principle: Always fetch secrets at startup or via sidecar — never bake into images or config files.

# AWS Secrets Manager pattern
import boto3, json

def get_secret(secret_name, region="us-east-1"):
    client = boto3.client("secretsmanager", region_name=region)
    response = client.get_secret_value(SecretId=secret_name)
    return json.loads(response["SecretString"])

# GCP Secret Manager pattern
from google.cloud import secretmanager

def get_secret(project_id, secret_id, version="latest"):
    client = secretmanager.SecretManagerServiceClient()
    name = f"projects/{project_id}/secrets/{secret_id}/versions/{version}"
    response = client.access_secret_version(request={"name": name})
    return response.payload.data.decode("UTF-8")

# Azure Key Vault pattern
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

def get_secret(vault_url, secret_name):
    credential = DefaultAzureCredential()
    client = SecretClient(vault_url=vault_url, credential=credential)
    return client.get_secret(secret_name).value

Secret Rotation Workflows

Rotation Strategy by Secret Type

Database Credential Rotation (Dual-Account)

1. Two database accounts exist: app_user_a and app_user_b
2. Application currently uses app_user_a
3. Rotation rotates app_user_b password, updates secret store
4. Application switches to app_user_b on next credential fetch
5. After grace period, app_user_a password is rotated
6. Cycle repeats

API Key Rotation (Overlap Window)

1. Generate new API key with provider
2. Store new key in secret store as current, move old to previous
3. Deploy applications — they read current
4. After all instances restarted (or TTL expired), revoke previous
5. Monitoring confirms zero usage of old key before revocation

Dynamic Secrets

Dynamic secrets are generated on-demand with automatic expiration. Prefer dynamic secrets over static credentials wherever possible.

Database Dynamic Credentials (Vault)

# Configure database engine
vault write database/config/postgres \
  plugin_name=postgresql-database-plugin \
  connection_url="postgresql://{{username}}:{{password}}@db.example.com:5432/app" \
  allowed_roles="app-readonly,app-readwrite" \
  username="vault_admin" \
  password="<admin-password>"

# Create role with TTL
vault write database/roles/app-readonly \
  db_name=postgres \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl=1h \
  max_ttl=24h

Cloud IAM Dynamic Credentials

Vault can generate short-lived AWS IAM credentials, Azure service principal passwords, or GCP service account keys — eliminating long-lived cloud credentials entirely.

SSH Certificate Authority

Replace SSH key distribution with a Vault-signed certificate model:

1. Vault acts as SSH CA
2. Users/machines request signed certificates with short TTL (30 min)
3. SSH servers trust the CA public key — no authorized_keys management
4. Certificates expire automatically — no revocation needed for normal operations

Audit Logging

What to Log

Anomaly Detection Signals

• Secret accessed from new IP/CIDR range
• Access volume spike (>3x baseline for a path)
• Off-hours access for human auth methods
• Service accessing secrets outside its policy scope (denied requests)
• Multiple failed auth attempts from single source
• Token created with unusually long TTL

Compliance Reporting

Generate periodic reports covering:

1. Access inventory — Which identities accessed which secrets, when
2. Rotation compliance — Secrets overdue for rotation
3. Policy drift — Policies modified since last review
4. Orphaned secrets — Secrets with no recent access (>90 days)

Use audit_log_analyzer.py to parse Vault or cloud audit logs for these signals.

Emergency Procedures

Secret Leak Response (Immediate)

Time target: Contain within 15 minutes of detection.

1. Identify scope — Which secret(s) leaked, where (repo, log, error message, third party)
2. Revoke immediately — Rotate the compromised credential at the source (provider API, Vault, cloud SM)
3. Invalidate tokens — Revoke all Vault tokens that accessed the leaked secret
4. Audit blast radius — Query audit logs for usage of the compromised secret in the exposure window
5. Notify stakeholders — Security team, affected service owners, compliance (if PII/regulated data)
6. Post-mortem — Document root cause, update controls to prevent recurrence

Vault Seal Operations

When to seal: Active security incident affecting Vault infrastructure, suspected key compromise.

Sealing stops all Vault operations. Use only as last resort.

Unseal procedure:

1. Gather quorum of unseal key holders (Shamir threshold)
2. Or confirm auto-unseal KMS key is accessible
3. Unseal via vault operator unseal or restart with auto-unseal
4. Verify audit devices reconnected
5. Check active leases and token validity

See references/emergency_procedures.md for complete playbooks.

CI/CD Integration

Vault Agent Sidecar (Kubernetes)

Vault Agent runs alongside application pods, handles authentication and secret rendering:

# Pod annotation for Vault Agent Injector