HashiCorp Vault for Secrets

Vault for static secrets; the dev mode gets you started without operational complexity.

Step 1: Run Vault dev

Vault dev mode is the fastest way to a working Vault instance. Single binary, in-memory storage, root token printed to the console.

• Boot. vault server -dev launches Vault with dev defaults; root token printed at startup.
• Environment. export VAULT_ADDR='http://127.0.0.1:8200' so the CLI knows where to talk.
• Login. vault login <root-token> establishes your session; the token comes from the dev startup output.
• Ephemeral. Storage is in-memory; restart wipes everything; perfect for tutorial, fatal for production.

Step 2: Auth + write

• vault kv put secret/myapp api_key=abc123
• Verify: vault kv get secret/myapp.

Step 3: Read from app

Apps read secrets via CLI, SDK, or sidecar injector. The choice depends on your runtime; the principle stays the same.

• CLI read. vault kv get -format=json secret/myapp; useful for shell scripts and CI jobs.
• SDK read. Per-language Vault clients; standard for production apps.
• Token availability. The app needs a Vault token; sourced from auth method, not hardcoded.
• K8s injector. Vault Agent injector mounts secrets as files into pods; no app code change needed.

Step 4: Production considerations

Dev mode does not survive production. Four pieces have to land before Vault is real infrastructure.

• HA backend. Replace in-memory storage with Raft (built-in) or Consul; surveys high availability and unseal coordination.
• Auth methods. Per-workload identity: Kubernetes service accounts, AWS IAM, JWT, OIDC; never reuse the root token.
• Audit log. Enabled to file or syslog; every secret access logged for compliance.
• Key backup. Unseal keys split via Shamir; backed up to a secure location; lose them and the data is unreachable.

Antipatterns

• Dev mode in production. Secrets gone on restart.
• Root token in app config. Defeats Vault.
• Without auth method per workload. Wide blast radius.

What to do this week

Three moves. (1) Run the tutorial end-to-end on your own laptop / sandbox. (2) Apply the pattern to one production workload. (3) Document the variations you needed; share with the team.