HashiCorp Vault Reference
Vault CLI commands and patterns for KV secrets, dynamic database credentials, Kubernetes auth, and AI API key rotation.
Syntax
environments-and-security
// vault kv | vault auth | vault policy | vault auditExample
environments-and-security
# --- KV v2 Secrets Engine ---
vault secrets enable -path=secret kv-v2
# Store AI API keys
vault kv put secret/ai/openai api-key="sk-prod-key"
vault kv put secret/ai/anthropic api-key="sk-ant-key"
# Read a specific field
vault kv get -field=api-key secret/ai/openai
# Rotate key (new version, zero downtime)
vault kv put secret/ai/openai api-key="sk-new-key"
vault kv rollback -version=1 secret/ai/openai # rollback if needed
# --- Least-Privilege Policy (HCL) ---
# inference-policy.hcl
path "secret/data/ai/openai" {
capabilities = ["read"]
}
path "secret/*" {
capabilities = ["deny"]
}
vault policy write inference inference-policy.hcl
# --- Kubernetes Auth Method ---
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc"
vault write auth/kubernetes/role/inference \
bound_service_account_names=inference-sa \
bound_service_account_namespaces=inference \
policies=inference \
ttl=1h
# --- Dynamic Database Credentials ---
vault secrets enable database
vault write database/roles/model-server \
db_name=ai-db \
default_ttl="1h" \
max_ttl="24h"
vault read database/creds/model-server
# → username: v-model-abc123 (expires in 1h)
# --- Audit Logging ---
vault audit enable file file_path=/var/log/vault/audit.log