HashiCorp Vault Reference

Vault CLI commands and patterns for KV secrets, dynamic database credentials, Kubernetes auth, and AI API key rotation.

Syntax

environments-and-security
// vault kv | vault auth | vault policy | vault audit

Example

environments-and-security
# --- KV v2 Secrets Engine ---
vault secrets enable -path=secret kv-v2

# Store AI API keys
vault kv put secret/ai/openai api-key="sk-prod-key"
vault kv put secret/ai/anthropic api-key="sk-ant-key"

# Read a specific field
vault kv get -field=api-key secret/ai/openai

# Rotate key (new version, zero downtime)
vault kv put secret/ai/openai api-key="sk-new-key"
vault kv rollback -version=1 secret/ai/openai  # rollback if needed

# --- Least-Privilege Policy (HCL) ---
# inference-policy.hcl
path "secret/data/ai/openai" {
  capabilities = ["read"]
}
path "secret/*" {
  capabilities = ["deny"]
}
vault policy write inference inference-policy.hcl

# --- Kubernetes Auth Method ---
vault auth enable kubernetes
vault write auth/kubernetes/config \
  kubernetes_host="https://kubernetes.default.svc"
vault write auth/kubernetes/role/inference \
  bound_service_account_names=inference-sa \
  bound_service_account_namespaces=inference \
  policies=inference \
  ttl=1h

# --- Dynamic Database Credentials ---
vault secrets enable database
vault write database/roles/model-server \
  db_name=ai-db \
  default_ttl="1h" \
  max_ttl="24h"
vault read database/creds/model-server
# → username: v-model-abc123 (expires in 1h)

# --- Audit Logging ---
vault audit enable file file_path=/var/log/vault/audit.log