HashiCorp Cloud Platform
Remediate leaked secrets
HCP Vault Radar can scan for secrets leaked in your code.
Create an incident
Leaked secrets can lead to unauthorized access to your services. To prevent malicious activity, we recommend rotating and storing the secret in Vault.
- Follow your organization’s guidelines for emergency rotation of a secret.
- Determine if your company already uses HashiCorp Vault.
Store secrets in Vault KVv2 secret engine
This example uses the KVv2 secrets engine and AppRole auth method. If your application is already configured to access secrets in Vault, use existing secrets engines and auth methods.
Note
Before getting started install the Vault CLI
Set the following environment variables in your local environment:
VAULT_TOKEN VAULT_ADDR VAULT_NAMESPACE
Note
Make sure you know your Namespace and Mount path.
Add the secret to the Vault KV version 2 secrets engine.
$ vault kv put -mount=mount-path my-secret my-secret-value=secret-value
Read the secret to confirm it is stored correctly.
$ vault kv get -mount=mount-path my-secret
Create a policy to allow access to the KVv2 secret engine.
$ vault policy write my-policy -<<EOF path "my-secret" { capabilities = [ "read" ] } EOF
Enable the
AppRole
authentication method.$ vault auth enable approle
Note
Refer to this documentation to learn more about other authentication methods that Vault supports
Create a role and attach the policy.
$ vault write auth/approle/role/my-role \ token_policies=my-policy
Remove the secret from code
Now that the secret is available from Vault, remove the hardcoded secret from the source code. This example uses an environment variable to store the secret from Vault.
Populate the environment variable
MY_SECRET
with the secret and start your local server.$ export MY_SECRET=$(vault kv get -mount=month-path {SECRET} my-secret-value)
Start the application.
$ run-my-app
Remove the secret from source and add a reference to the secret stored at the environment variable MY_SECRET.
mySecret = getenv(“MY_SECRET”)
Note
If you are not using an environment variable to read the secret, here are some other ways to store or retrieve secrets from Vault:
- Create secrets with the Vault secrets operator for Kubernetes.
- Use Vault Enterprise secret sync for services like Vercel or Heroku.
- Read and reload secrets in Spring.
- If you do not use environment variables, refer to the Vault API documentation
Revoke the secret
Revoke the secret to complete the remediation process.
Validate the environment variable is populated from Vault.
Deploy and test the application.
Work with the service owner to rotate the secret stored in the Vault.
Update the secret value in Vault
$ vault kv put -mount=mount-path my-secret my-secret-value=new-value