DevOps by Default Blog

accessibility acl ai architecture argocd authentication automation aws backstage bash batch centos7 ci-cd cli cloud cmd containers cost-optimization css dark-mode database deployment design developer-experience devops
disk docker documentation downgrade e2e ebpf filesystem finops frontend gem github-actions gitops go golang gotrs green-computing grpc helm iac iam infrastructure-as-code java jenkins kpartx kubernetes
linux logging mariadb mfa monitoring mount multi-tenancy mysql network networking ntfs observability open-source opentofu operations otrs performance platform-engineering playwright plugins postgresql prometheus quality repo ruby
scripting secrets security sigstore slsa sql supply-chain sustainability tailwind terraform terraform101 testing themes ticketing tutorial ux vault vulnerabilities wasm windows workflow year-review yum
accessibility acl ai architecture argocd authentication automation aws backstage bash batch centos7 ci-cd cli cloud cmd containers cost-optimization css dark-mode database deployment design developer-experience devops
disk docker documentation downgrade e2e ebpf filesystem finops frontend gem github-actions gitops go golang gotrs green-computing grpc helm iac iam infrastructure-as-code java jenkins kpartx kubernetes
linux logging mariadb mfa monitoring mount multi-tenancy mysql network networking ntfs observability open-source opentofu operations otrs performance platform-engineering playwright plugins postgresql prometheus quality repo ruby
scripting secrets security sigstore slsa sql supply-chain sustainability tailwind terraform terraform101 testing themes ticketing tutorial ux vault vulnerabilities wasm windows workflow year-review yum
accessibility acl ai architecture argocd authentication automation aws backstage bash batch centos7 ci-cd cli cloud cmd containers cost-optimization css dark-mode database deployment design developer-experience devops
disk docker documentation downgrade e2e ebpf filesystem finops frontend gem github-actions gitops go golang gotrs green-computing grpc helm iac iam infrastructure-as-code java jenkins kpartx kubernetes

Secrets Management with HashiCorp Vault

378 words · 2 min read

Secrets end up everywhere: environment variables, config files, CI systems, developer laptops. Centralising them isn’t just about security—it’s about knowing what credentials exist and who can access them.

The Problem

Credential sprawl was rampant. The same database password existed in twelve places. Rotating it meant updating all twelve and hoping nothing was missed. Inevitably, something was missed, and production broke at 3am.

Audit requirements couldn’t be satisfied. “Who has access to the payment system credentials?” The honest answer was: we didn’t know. Secrets had been copied, shared, and forgotten.

API keys had no expiration. Some were years old, created by employees who’d long since left. Revoking them risked breaking unknown integrations.

Secrets in Git history haunted us. Even after removal from current code, they remained in history. Repository scanning revealed embarrassing exposure.

Our Solution

HashiCorp Vault became the central secrets store. All credentials migrated there over six months. Applications retrieve secrets at runtime rather than storing them.

Dynamic secrets for databases eliminated password management entirely. Vault generates temporary credentials per application instance. When the pod terminates, the credentials expire. No password rotation needed—every connection uses fresh credentials.

AppRole authentication for applications. Each service authenticates to Vault using its role. No shared credentials, no secrets in environment variables.

Kubernetes integration via the Vault Agent Injector. Secrets appear as files in pods, managed by the sidecar. Applications read files rather than calling Vault directly.

Audit logging captures every secret access. Compliance reviews show exactly who accessed what and when. Unusual access patterns trigger alerts.

Secret rotation automation for credentials that can’t be dynamic. Vault rotates, updates the target system, and applications fetch the new value on next access.

The Benefits

Password rotation became a non-event. Services continue running while credentials change. No coordination required, no 3am emergencies.

Access review is now possible. Vault policies define who can access what. Quarterly reviews examine policies rather than hunting through systems.

Offboarding is comprehensive. Disable a user’s Vault access, and they lose access to all secrets. No need to enumerate every system they might have credentials for.

Developer experience improved. No more “can you send me the staging database password?” Vault provides it through proper authentication.

Secrets management isn’t exciting, but getting it right removes an entire category of incidents and compliance headaches.

Copyright © 2026 Gibbsoft Ltd. Company No. 06514595 registered in England. VAT No. 178377753.