Vault isn’t just a place to dump secrets; it’s a dynamic, programmable system for managing access to sensitive data, treating secrets like any other resource you’d manage with code.
Let’s see Vault in action. Imagine you have a microservice that needs a database password.
package main
import (
"fmt"
"log"
"os"
"github.com/hashicorp/vault/api"
)
func main() {
// Configure Vault client
config := api.DefaultConfig()
config.Address = "http://127.0.0.1:8200" // Vault server address
client, err := api.NewClient(config)
if err != nil {
log.Fatalf("Error creating Vault client: %v", err)
}
// Authenticate (example using token, real-world would use AppRole, Kubernetes, etc.)
client.SetToken("my-root-token") // Replace with your actual token or auth method
// Read a secret
secret, err := client.Logical().Read("secret/data/myapp/database")
if err != nil {
log.Fatalf("Error reading secret: %v", err)
}
if secret == nil || secret.Data == nil {
log.Fatal("Secret not found or empty")
}
// Extract and print the password
password, ok := secret.Data["data"].(map[string]interface{})["password"].(string)
if !ok {
log.Fatal("Password field not found or not a string in the secret data")
}
fmt.Printf("Successfully retrieved database password: %s\n", password)
}
This Go program connects to a running Vault instance, authenticates using a hardcoded token (in production, you’d use a proper auth method like AppRole or Kubernetes), and then fetches a specific secret stored at secret/data/myapp/database. It then extracts and prints the database password.
The core problem Vault solves is the proliferation of insecurely stored secrets – hardcoded in code, in plain text configuration files, or in environment variables that can be easily leaked. Vault centralizes secrets, providing a single source of truth, and more importantly, it decouples secrets from the applications that use them. This means you can rotate, revoke, or update secrets without touching your application code.
Internally, Vault operates on a few key concepts. Sealing and Unsealing is fundamental: Vault is encrypted at rest. When it starts, it’s "sealed." To become operational, it needs to be "unsealed" using a master key, typically split into multiple shares. Only when enough shares are combined can Vault decrypt its data. Authentication is how clients prove their identity to Vault. This can be done via tokens, but more robust methods like AppRole (for machines/services), Kubernetes authentication, or cloud IAM roles are preferred. Auth Methods are plugins that enable these different authentication strategies. Secrets Engines are responsible for generating, storing, and managing different types of secrets. Vault has built-in engines for static secrets (like the kv engine used above), dynamic secrets (which generate credentials on-demand for services like AWS, databases, or Kubernetes), and more. Policies are Vault’s authorization layer. They define what authenticated entities can do (read, write, delete, list) on which paths within Vault.
When Vault generates a dynamic secret, say for a PostgreSQL database, it doesn’t just give you a static password. It creates a lease for a specific username and password. This lease has an expiration time. When the lease expires, Vault automatically revokes the generated credentials, ensuring that old passwords are never left lying around. This is a game-changer for security, as it enforces automatic credential rotation.
The most impactful and often misunderstood aspect of Vault’s dynamic secrets is the concept of lease revocation. When a dynamic secret is generated, Vault attaches a lease ID to it. This lease ID is crucial because it’s the handle Vault uses to manage the lifecycle of that secret. If your application crashes before it can explicitly release the secret, Vault’s background "lease manager" will detect the expired lease and automatically revoke the underlying credentials (e.g., disable the database user or delete the IAM key). This automatic cleanup is what prevents credential sprawl and maintains a strong security posture, even in failure scenarios.
Understanding the interplay between authentication methods, policies, and secrets engines is key to effectively leveraging Vault’s power.