Implementing Secrets Management with Vault

When to Use

• When applications store database passwords, API keys, or certificates in environment variables or config files
• When migrating from static long-lived credentials to dynamic short-lived secrets
• When Kubernetes workloads need secure access to database credentials or cloud provider APIs
• When compliance requirements mandate centralized credential management with audit logging
• When CI/CD pipelines contain hardcoded secrets that represent supply chain risk

Do not use for AWS-only environments where AWS Secrets Manager suffices without multi-cloud requirements, for application-level encryption logic (though Vault Transit can help), or for identity federation (see managing-cloud-identity-with-okta).

Prerequisites

• HashiCorp Vault server deployed in HA mode (Consul or Raft storage backend)
• TLS certificates for Vault listener endpoints
• Vault Enterprise license for namespaces, Sentinel policies, and replication (optional)
• Kubernetes cluster with Vault Agent Injector or CSI provider for workload integration