implementing-secrets-management-with-vault
Installation
SKILL.md
Implementing Secrets Management with Vault
When to Use
- When applications store database passwords, API keys, or certificates in environment variables or config files
- When migrating from static long-lived credentials to dynamic short-lived secrets
- When Kubernetes workloads need secure access to database credentials or cloud provider APIs
- When compliance requirements mandate centralized credential management with audit logging
- When CI/CD pipelines contain hardcoded secrets that represent supply chain risk
Do not use for AWS-only environments where AWS Secrets Manager suffices without multi-cloud requirements, for application-level encryption logic (though Vault Transit can help), or for identity federation (see managing-cloud-identity-with-okta).
Prerequisites
- HashiCorp Vault server deployed in HA mode (Consul or Raft storage backend)
- TLS certificates for Vault listener endpoints
- Vault Enterprise license for namespaces, Sentinel policies, and replication (optional)
- Kubernetes cluster with Vault Agent Injector or CSI provider for workload integration