Vault Secret Management

How does one add secrets to vault? The only option we see is the CLI commands (or via UI). Is it possible to have some sought of overview like PR reviews in GitHub before the secret is added or modified in vault?

Managing plaintext secret in private GitHub repo makes GitHub the weakest link. How does the Ops team manage version-controlled, audited secret management?

For static secrets, I don’t think there are many other options. Fundamentally a person or machine has to upload each static secret to Vault, and given that Vault is meant to be the only thing you trust with all the secrets, centralising the management of static secrets outside of Vault would defeat one of the main value propositions.

I think one of the main tools to help secret management scale is to use dynamic secrets. e.g.:

  • All database plugins support dynamic roles
  • Cloud secret engines like AWS support many dynamic short-lived credentials using a root credential
  • OpenLDAP supports dynamic credentials
  • And many more

Version control can be used for the terraform used to configure Vault if you use the Vault terraform provider, but otherwise the flow is going to be a little different. With regards to auditing, Vault does have auditing built-in, but again, the flow there is probably a little different to what you were imagining.