Implementing HashiCorp Vault Dynamic Secrets

When to Use

• Applications use static database credentials stored in configuration files or environment variables
• AWS IAM access keys are long-lived and shared across services
• Need to eliminate credential sprawl by generating short-lived, per-request secrets
• Compliance requirements mandate credential rotation (PCI-DSS Requirement 8, NIST 800-53 IA-5)
• Implementing zero-trust secret management where credentials are never stored at rest
• Migrating from manual credential management to automated secrets lifecycle

Do not use for storing static secrets that cannot be dynamically generated (use Vault's KV secrets engine instead); dynamic secrets are for credentials that can be programmatically created and revoked on target systems.

Prerequisites

• HashiCorp Vault 1.15+ (Community or Enterprise edition)
• Vault server initialized and unsealed with auto-unseal configured (AWS KMS, Azure Key Vault, or Transit)
• Target database systems with admin credentials for Vault to create/revoke dynamic accounts
• AWS IAM account with permissions to create/delete IAM users and access keys