HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Well-Architected Framework

Prevent leaked secrets with credential management

Organizations face constant risk from leaked secrets and exposed credentials. Credential management strategies eliminate static, long-lived secrets by replacing them with dynamic credentials and storing all secrets in centralized platforms with strong access controls.

Prevent secret leaks with the following credential management strategies:

  • Dynamic credentials: Use short-lived, automatically rotating credentials
  • Workload identity federation: Eliminate static service account credentials
  • Centralized secret management: Store and retrieve secrets from a secrets management platform

Why use dynamic credentials and centralized management

Eliminate static credentials in version control: Long-lived API keys, database passwords, and service account credentials often end up committed to Git repositories, configuration files, and CI/CD systems. Once committed, these secrets remain accessible even after rotation.

Enable credential rotation at scale: Organizations managing hundreds of applications and services cannot reliably rotate static credentials manually. Forgotten credentials remain active for months or years, increasing the window of exposure if leaked.

Gain visibility into secret usage: When secrets exist in multiple locations, such as environment variables, configuration management systems, CI/CD platforms, and developer workstations, security teams lose visibility into what secrets exist and where they're used.

Reduce persistent unauthorized access: Traditional approaches provision long-lived service accounts for application authentication. These credentials rarely rotate and provide permanent access if compromised, making them high-value targets for attackers.

Use dynamic credentials

Dynamic credentials are short-lived credentials generated on demand and valid for a limited time. Dynamic credentials are useful in scenarios where SSO integration is not available. Because these credentials are valid for a limited time, the risk of exposing the secret is reduced.

HashiCorp Vault generates dynamic credentials for a variety of systems, including AWS, Azure, GCP, HCP Terraform, and several database platforms. When your application needs to access a cloud service or database, Vault generates credentials with a specific time-to-live (TTL). When the TTL expires, Vault automatically revokes the credentials.

Dynamic credentials provide the following benefits:

  • Credentials exist only for the duration of a specific task or session.
  • Automatic revocation eliminates the need for manual rotation.
  • Each workload receives unique credentials, improving audit trails.
  • Compromised credentials have limited validity, reducing breach impact.
  • No long-lived credentials to store in code or configuration.

You can configure your application to request dynamic credentials from Vault before connecting to a cloud service provider, or backend database. You can also use the HCP Terraform secrets engine to generate dynamic credentials for different Terraform providers. This lets Terraform provision the defined resources without needing to store static credentials.

Workload identity federation

Workload identity federation (WIF) removes static credentials by creating trust relationships between systems. For example, GitHub Actions can authenticate to AWS without storing any AWS credentials. Once you complete the WIF configuration, Vault creates dynamic credentials in the target platform. Compare this to conventional methods where you provision a long-lived service account with a key or password. You must manually manage and rotate these accounts. With WIF, there is a trust between the systems so there is no risk of the service account secret being leaked. The service that provisions the dynamic credential revokes it when the workflow is complete or TTL expires.

Where SSO and WIF diverge is that WIF uses the trust relationship to provision temporary, dynamic credentials. These credentials have a short TTL, so there is a limited risk if they become exposed. The configured services manage credentials, eliminating the need to revoke, renew, or replace them.

Vault Enterprise supports WIF integration with AWS, Azure, and GCP. Using WIF, you can configure the cloud provider auth method, or secrets engine without static service accounts.

Centralize secret management with Vault

Centralized secret management consolidates all organizational secrets into a single platform with strong access controls, encryption, and audit capabilities. Instead of secrets scattered across environment variables, configuration files, CI/CD systems, and developer workstations, teams store and retrieve all secrets from a centralized system.

HashiCorp Vault provides centralized secret storage with encryption at rest and in transit, fine-grained access policies, and comprehensive audit logging. Organizations can start with static secrets in Vault's key-value store, then progressively adopt dynamic credentials as their practices mature. Vault also supports secret synchronization to external systems for workloads or platforms that cannot directly integrate with centralized management.

HashiCorp Vault is a centralized secrets management and security solution with several deployment options. If you are new to secrets management, you can start by storing secrets as key-value pairs, and update your workflows to read the secret directly from Vault. As your secrets management process matures, you can use short-lived, dynamic credentials which are valid for a specified period of time. This further limits the effect if you do leak a secret because Vault will automatically revoke it after the specified time, or you can manually revoke it and request new credentials.

You can prevent storing secrets in your code by securing your secrets in a centralized secrets management system such as Vault, and then referencing these secrets in your code. The following Python example shows how to use Vault client libraries inside your application code to store and retrieve secret values.

read_response = client.secrets.kv.read_secret_version(path='my-secret-password')
password = read_response['data']['data']['password']

The code retrieves a secret from Vault's key-value store at runtime rather than embedding the password directly in the application. This pattern ensures secrets remain centralized and encrypted at rest, with all access logged for audit purposes.

Benefits of centralized secret management

Centralized secret management provides the following capabilities:

  • Single source of truth: All secrets stored in one auditable location.
  • Encryption at rest and in transit: Secrets protected throughout their lifecycle.
  • Fine-grained access control: Policies determine which applications access which secrets.
  • Complete audit trails: All secret access logged with identity and timestamp.
  • Automated rotation: Secrets rotate on schedule without application changes.
  • Secret versioning: Previous secret versions retained for rollback scenarios.
  • Synchronization capabilities: Secrets synced to external systems when needed.

HashiCorp resources

Related WAF guidance:

Get started with dynamic credentials:

Workload identity federation:

External resources

Next steps

In this section of Managing leaked secrets, you learned how to prevent leaked secrets through credential management including dynamic credentials, workload identity federation, and centralized secret storage platforms like HashiCorp Vault. Preventing leaked secrets with credential management is part of the Secure systems pillar.

Continue to the following document to complete your prevention strategy:

Edit this page on GitHub