implementing-secrets-management-with-vault

# Implementing Secrets Management with Vault ## When to Use - When applications store database passwords, API keys, or certificates in environment variables or config files - When migrating from static long-lived credentials to dynamic short-lived secrets - When Kubernetes workloads need secure access to database credentials or cloud provider APIs - When compliance requirements mandate centralized credential management with audit logging - When CI/CD pipelines contain hardcoded secrets that represent supply chain risk **Do not use** for AWS-only environments where AWS Secrets Manager suffices without multi-cloud requirements, for application-level encryption logic (though Vault Transit can help), or for identity federation (see managing-cloud-identity-with-okta). ## Prerequisites - HashiCorp Vault server deployed in HA mode (Consul or Raft storage backend) - TLS certificates for Vault listener endpoints - Vault Enterprise license for namespaces, Sentinel policies, and replication (optional) - Kubernetes cluster with Vault Agent Injector or CSI provider for workload integration ## Workflow ### Step 1: Deploy Vault in High Availability Mode Deploy Vault using Integrated Storage (Raft) for HA without external dependencies. Configure TLS, audit logging, and auto-unseal using a cloud KMS. ```hcl # vault-config.hcl storage "raft" { path = "/opt/vault/data" node_id = "vault-node-1" retry_join { leader_api_addr = "https://vault-node-2.internal:8200" } retry...