HashiCorp Vault

Manage secrets, dynamic credentials, and encryption with HashiCorp Vault. Generates policies, auth method configs (Kubernetes, AWS IAM, OIDC), dynamic database creds, PKI, transit encryption, and Vault Agent templates.

This skill covers HashiCorp Vault end-to-end: writing HCL policies with least-privilege, configuring auth methods (Kubernetes service accounts, AWS IAM, OIDC, AppRole), setting up dynamic secrets engines for Postgres/MySQL/AWS, PKI for short-lived certs, transit secrets for encryption-as-a-service, and Vault Agent for sidecar injection. Covers HA Raft clusters, auto-unseal, audit logging, and Vault Operator for Kubernetes.

When to use

Use when setting up Vault for app secrets, rotating database credentials, issuing short-lived certs, configuring K8s auth, or migrating off static secrets.

Examples

Dynamic DB credentials

Rotate Postgres creds with Vault

Configure Vault's database secrets engine to issue dynamic Postgres credentials with 1-hour TTL, write a policy granting my app role access, and show me the Vault Agent template to inject the creds

K8s auth method

Let pods authenticate via service account

Set up Vault's Kubernetes auth method so pods can authenticate using their service account JWT, create a role binding it to a policy, and show me the Agent sidecar config