Manage 3rd-party secrets

TBD TBD

Integrate Vault with the other elements of your development environment. Generate and revoke on-demand credentials for database systems and cloud providers like AWS, and control access to external information like encryption keys and cloud credentials.

Manage DB credentials

Use available database plugins to manage static and dynamic database credentials with Vault.

Plugins for static credentials map internal Vault roles 1-to-1 to usernames in a database. With static roles, Vault stores and automatically rotates passwords for the associated database user based on a configurable period of time or rotation schedule.

Plugins for dynamic database credentials generate database credentials on-demand for clients based on pre-configured roles in Vault. Vault also uses leases to automatically revoke and rotate credentials over time. Every client accesses the database with unique credentials so tracing and auditing data access is easier.

Manage cloud credentials

Third-party secret engines dynamically generate service principals with the applicable role and group assignments mapped to internal Vault roles. Vault then associates each service principle with a lease and automatically rotates or revokes the service principal when the lease expires.

Manage encryption keys

To work with cloud providers, you often need to use encryption keys issued and stored by the provider in their own key management system (KMS). You also need to maintain root of trust both in and out of the cloud for the security of your applications.

Vault provides centralized management for the distribution and lifecycle of cloud provider keys while letting you leveraging the cryptographic capabilities native to your KMS providers.