Vault (Secrets Management) Cheat Sheet
Reference for HashiCorp Vault covering the CLI, KV secrets engine, dynamic secrets, authentication methods, and policies.
2 PagesAdvancedJan 28, 2026
CLI Basics
Core commands for interacting with a Vault server.
bash
vault status # Check seal/init statusvault login -method=userpass username=alice # Authenticatevault secrets list # List enabled secrets enginesvault secrets enable -path=secret kv-v2 # Enable KV v2 enginevault kv put secret/app db_password=s3cr3t # Write a secretvault kv get secret/app # Read a secretvault kv delete secret/app # Soft delete (v2)
Dynamic Database Secrets
Generating short-lived, auto-expiring database credentials.
bash
vault secrets enable databasevault write database/config/mydb \ plugin_name=postgresql-database-plugin \ connection_url="postgresql://{{username}}:{{password}}@db:5432/app" \ allowed_roles="readonly" \ username="vaultadmin" password="adminpass"vault write database/roles/readonly \ db_name=mydb \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl="1h" max_ttl="24h"vault read database/creds/readonly # Generates a new short-lived credential
Policy Definition (HCL)
Least-privilege access policy restricting path capabilities.
hcl
# app-policy.hclpath "secret/data/app/*" { capabilities = ["read", "list"]}path "database/creds/readonly" { capabilities = ["read"]}# Apply it:# vault policy write app-policy app-policy.hcl# vault token create -policy="app-policy"
Authentication Methods
Common ways clients and services authenticate to Vault.
- token- The default, most primitive auth method; every request ultimately resolves to a token
- userpass- Simple username/password authentication, mainly for humans or testing
- approle- Machine-to-machine auth using a RoleID + SecretID pair, common for CI/CD and apps
- kubernetes- Authenticates pods using their projected Kubernetes service account JWT
- aws (IAM/EC2)- Authenticates using AWS IAM credentials or EC2 instance identity documents
- ldap / oidc- Delegates authentication to an existing LDAP directory or OIDC identity provider
Core Concepts
Foundational Vault mechanisms for secrets and access control.
- Seal / Unseal- Vault starts sealed (data encrypted, inaccessible); unsealing requires a threshold of unseal keys (Shamir's Secret Sharing)
- KV v2 versioning- KV v2 engine keeps a version history of secrets and supports soft delete/undelete/destroy
- Dynamic secrets- Credentials generated on-demand with a TTL, automatically revoked on lease expiry
- Leases & renewal- Most non-token secrets are leased; clients must renew before the lease's TTL expires
- Transit secrets engine- Encryption-as-a-service ('encrypt/decrypt') without Vault storing the plaintext
- Policies- HCL rules granting capabilities (read/write/list/delete/sudo) on specific secret paths
Pro Tip
Favor dynamic secrets engines (database, AWS, PKI) over static KV secrets wherever possible — short-lived, auto-revoked credentials drastically shrink the blast radius of a leaked secret compared to long-lived static ones.
Was this cheat sheet helpful?
Explore Topics
#VaultSecretsManagement#VaultSecretsManagementCheatSheet#DevOps#Advanced#CLIBasics#DynamicDatabaseSecrets#PolicyDefinitionHCL#AuthenticationMethods#Functions#Security#CommandLine#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance