100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Vault (Secrets Management) Cheat Sheet

Vault (Secrets Management) Cheat Sheet

Reference for HashiCorp Vault covering the CLI, KV secrets engine, dynamic secrets, authentication methods, and policies.

2 PagesAdvancedJan 28, 2026

CLI Basics

Core commands for interacting with a Vault server.

bash
vault status                             # Check seal/init statusvault login -method=userpass username=alice   # Authenticatevault secrets list                        # List enabled secrets enginesvault secrets enable -path=secret kv-v2   # Enable KV v2 enginevault kv put secret/app db_password=s3cr3t # Write a secretvault kv get secret/app                   # Read a secretvault kv delete secret/app                # Soft delete (v2)

Dynamic Database Secrets

Generating short-lived, auto-expiring database credentials.

bash
vault secrets enable databasevault write database/config/mydb \  plugin_name=postgresql-database-plugin \  connection_url="postgresql://{{username}}:{{password}}@db:5432/app" \  allowed_roles="readonly" \  username="vaultadmin" password="adminpass"vault write database/roles/readonly \  db_name=mydb \  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \  default_ttl="1h" max_ttl="24h"vault read database/creds/readonly   # Generates a new short-lived credential

Policy Definition (HCL)

Least-privilege access policy restricting path capabilities.

hcl
# app-policy.hclpath "secret/data/app/*" {  capabilities = ["read", "list"]}path "database/creds/readonly" {  capabilities = ["read"]}# Apply it:# vault policy write app-policy app-policy.hcl# vault token create -policy="app-policy"

Authentication Methods

Common ways clients and services authenticate to Vault.

  • token- The default, most primitive auth method; every request ultimately resolves to a token
  • userpass- Simple username/password authentication, mainly for humans or testing
  • approle- Machine-to-machine auth using a RoleID + SecretID pair, common for CI/CD and apps
  • kubernetes- Authenticates pods using their projected Kubernetes service account JWT
  • aws (IAM/EC2)- Authenticates using AWS IAM credentials or EC2 instance identity documents
  • ldap / oidc- Delegates authentication to an existing LDAP directory or OIDC identity provider

Core Concepts

Foundational Vault mechanisms for secrets and access control.

  • Seal / Unseal- Vault starts sealed (data encrypted, inaccessible); unsealing requires a threshold of unseal keys (Shamir's Secret Sharing)
  • KV v2 versioning- KV v2 engine keeps a version history of secrets and supports soft delete/undelete/destroy
  • Dynamic secrets- Credentials generated on-demand with a TTL, automatically revoked on lease expiry
  • Leases & renewal- Most non-token secrets are leased; clients must renew before the lease's TTL expires
  • Transit secrets engine- Encryption-as-a-service ('encrypt/decrypt') without Vault storing the plaintext
  • Policies- HCL rules granting capabilities (read/write/list/delete/sudo) on specific secret paths
Pro Tip

Favor dynamic secrets engines (database, AWS, PKI) over static KV secrets wherever possible — short-lived, auto-revoked credentials drastically shrink the blast radius of a leaked secret compared to long-lived static ones.

Was this cheat sheet helpful?

Explore Topics

#VaultSecretsManagement#VaultSecretsManagementCheatSheet#DevOps#Advanced#CLIBasics#DynamicDatabaseSecrets#PolicyDefinitionHCL#AuthenticationMethods#Functions#Security#CommandLine#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet