Comprehensive Guide to HashiCorp Vault | Generated by AI
Question: Give a comprehensive guide about using HashiCorp Vault?
Answer:
Here is a practical, up-to-date (2025–2026 era) comprehensive guide to using HashiCorp Vault.
1. What problems does Vault solve?
- Storing & delivering secrets (passwords, API keys, certificates, encryption keys, tokens)
- Dynamic secrets — credentials that are created on demand and automatically revoked
- Short-lived credentials — strongly preferred security model in 2025
- Centralized access control + audit logging
- Encryption as a service
- Identity-based security (no long-lived static credentials in code / CI)
2. Core Concepts – Must Know
| Concept | Meaning in 2025–2026 Vault |
|---|---|
| Secret Engine | Plugin that knows how to generate / store / revoke secrets (kv, database, aws, pki, …) |
| Mount path | Where the engine “lives” (secret/, database/, pki/int-ca/, …) |
| Auth Method | How users / machines authenticate (jwt, kubernetes, approle, userpass, oidc, …) |
| Policy | ACL written in HCL — very fine-grained (path "secret/data/prod/*" { capabilities = ["read"] }) |
| Token | Main way to authenticate (can be short-lived, periodic, orphan, etc) |
| Identity | Vault’s internal entity + aliases that link multiple auth methods to one identity |
| Lease | TTL + renewable contract for dynamic secrets |
3. Quick Start (Dev Mode – 2025 style)
# Run in development mode (insecure – only for learning)
vault server -dev -dev-root-token-id=root
# or with UI + TLS disabled (still common for local dev in 2026)
vault server -dev -dev-root-token-id=root -dev-listen-address="0.0.0.0:8200"
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN=root
Open browser → http://127.0.0.1:8200/ui
4. Most Common Secret Engines (2025–2026 ranking)
| Engine | Use-case today | Dynamic? | Revocable? | Recommended mount path |
|---|---|---|---|---|
| kv-v2 | Static app secrets, config | No | No | secret/ |
| database | MySQL/PostgreSQL/Redis/… temporary accounts | Yes | Yes | database/ |
| aws | AWS IAM credentials (access key / session) | Yes | Yes | aws/ |
| pki | Internal & public TLS certificates | Yes | Yes | pki/ or pki/int/ |
| transit | Encryption / signing as a service | — | — | transit/ |
| ssh | SSH client & OTP / signed certificates | Yes | Yes | ssh-client / ssh-host |
| kubernetes | Kubernetes service account JWT validation | — | — | (auth method, not engine) |
| jwt / oidc | GitHub Actions, GitLab CI, workload identity | — | — | (auth method) |
5. Typical 2025–2026 Production Architecture
- Vault cluster — 3 or 5 nodes (Raft storage)
- Auto-unseal — AWS KMS / GCP KMS / Azure Key Vault / Transit
- External storage — integrated Raft (most common), Consul, etcd
- TLS everywhere — mandatory
- Separate PKI mount for intermediate CA
- Multiple KV mounts —
apps/team-a/,infra/prod/,ci/ - AppRole or JWT/OIDC for most workloads
- Kubernetes auth + Vault Agent Injector / CSI driver
6. Step-by-step – Realistic Modern Workflow (Kubernetes + AppRole + KV + Database)
# 1. Enable engines
vault secrets enable -path=apps kv-v2
vault secrets enable -path=database database
# 2. Configure PostgreSQL engine (example)
vault write database/config/my-pg \
plugin_name=postgresql-database-plugin \
allowed_roles="myapp" \
connection_url="postgresql://:@postgres:5432/myapp" \
username="vault_admin" \
password="super-secret-admin-pass"
vault write database/roles/myapp \
db_name=my-pg \
creation_statements="CREATE ROLE \"\" WITH LOGIN PASSWORD '' VALID UNTIL ''; GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO \"\";" \
default_ttl="1h" \
max_ttl="24h"
# 3. Create policy for application
cat > myapp-policy.hcl <<EOF
path "apps/data/myapp/*" {
capabilities = ["read", "list"]
}
path "apps/metadata/myapp/*" {
capabilities = ["list"]
}
path "database/creds/myapp" {
capabilities = ["read"]
}
EOF
vault policy write myapp myapp-policy.hcl
# 4. Create AppRole + attach policy
vault auth enable approle
vault write auth/approle/role/myapp \
token_policies="myapp" \
token_ttl=20m \
token_max_ttl=60m \
secret_id_ttl=30m
# Get RoleID & SecretID
vault read auth/approle/role/myapp/role-id
vault write -f auth/approle/role/myapp/secret-id
7. Best Practices 2025–2026
- Never commit
VAULT_TOKENorVAULT_ROLE_ID/SECRET_IDpairs - Use Vault Agent or Vault CSI Provider in Kubernetes
- Prefer short TTL (minutes → hours) for dynamic credentials
- Rotate root token and create recovery keys
- Use namespaces for very large organizations
- Enable audit logging → everything goes to SIEM
- Use response-wrapping for very sensitive initial secret delivery
- Prefer identity-based security over IP whitelisting
8. Common Client Patterns (2025)
| Language / Tool | Recommended library / method | Status in 2026 |
|---|---|---|
| Go | official hashicorp/vault/api | very good |
| Python | hvac | very popular |
| Java | spring-vault / official Java client | good |
| Node.js | node-vault | good |
| .NET | VaultSharp | good |
| Terraform | built-in provider + remote state backend | standard |
| Kubernetes | Vault Agent Injector / CSI secrets store | dominant |
| GitHub Actions | hashicorp/vault-action (JWT auth) | very popular |
9. Quick Troubleshooting Commands
vault status # is it initialized? sealed?
vault operator raft list-peers
vault token lookup -accessor $ACCESSOR
vault lease lookup database/creds/myapp/abc123
vault audit list
vault path-help aws/creds/my-role
References:
- https://developer.hashicorp.com/vault/docs
- https://developer.hashicorp.com/vault/tutorials
- https://developer.hashicorp.com/vault/docs/concepts
- https://developer.hashicorp.com/vault/docs/secret-engines
- https://developer.hashicorp.com/vault/docs/auth