Secret Management: Vault, Rotation, and Access Control
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
Secrets — database passwords, API keys, TLS certificates, SSH keys, encryption keys — are the credentials that connect your systems together. When they end up in source code, configuration files, or environment variables on shared servers, they become easy targets. Secret management centralizes the storage, access control, and rotation of these credentials so they are not scattered across your infrastructure.
HashiCorp Vault
Vault is the most widely deployed dedicated secret management solution. It provides a unified interface for storing secrets, generating dynamic credentials, and encrypting data.
Secret engines define how Vault stores and generates secrets:
- KV (Key-Value): stores static secrets with versioning. The simplest engine — put a password in, get a password out. Supports version history so you can roll back if a rotation breaks something.
- Database engine: generates temporary database credentials on demand. Instead of a shared database password, each application instance gets unique, time-limited credentials. When the lease expires, Vault revokes them automatically.
- PKI engine: operates as a certificate authority, issuing and managing TLS certificates. Applications request certificates through the Vault API, and Vault handles issuance, renewal, and revocation.
- SSH engine: provides signed SSH certificates or one-time passwords for SSH access. Eliminates the need to distribute and manage SSH keys across servers.
Authentication methods control how clients prove their identity to Vault. In cloud environments, use the cloud provider’s identity (AWS IAM roles, GCP service accounts, Azure Managed Identity) so applications authenticate to Vault without any bootstrap secret. Kubernetes workloads authenticate via the Kubernetes auth method using their service account tokens.
AWS Secrets Manager
AWS Secrets Manager provides managed secret storage integrated with AWS services. It handles the common case well: store a database password, configure automatic rotation, and retrieve it from your application via the SDK or CLI.
Rotation is built in for RDS, Redshift, and DocumentDB credentials. Secrets Manager calls a Lambda function on a schedule to generate a new password, update the database, and store the new credential. Custom rotation functions handle non-AWS resources.
For applications running on AWS, Secrets Manager is simpler to operate than a self-hosted Vault deployment. The trade-off is vendor lock-in and less flexibility in secret engine types.
Rotation Strategies
Secrets that never change are secrets that accumulate risk. Automated rotation limits the window of exposure if a credential is compromised.
Immediate rotation creates and activates a new credential in one step. Simple but risky — if the new credential fails to propagate to all consumers, you have an outage.
Dual-credential rotation maintains two active credentials simultaneously. The rotation process creates a new credential, verifies it works, updates all consumers, then deactivates the old one. This avoids downtime but requires the target system to support multiple active credentials.
Gradual rotation rolls out the new credential to a percentage of consumers, verifies it works, then completes the rollout. This is the safest approach for high-availability systems but adds complexity.
Set rotation intervals based on credential sensitivity and blast radius. Database admin credentials that can drop tables should rotate more frequently than a read-only API key for a weather service. Common intervals: 30 days for high-sensitivity credentials, 90 days for medium, 180 days for low.
Access Policies
The principle of least privilege applies directly to secret access. Each application should access only the secrets it needs, nothing more.
In Vault, policies are written in HCL and define path-based access rules:
- The payment service reads database credentials at
secret/data/payment/db - The notification service reads the email API key at
secret/data/notification/email - Neither can read the other’s secrets
Audit logging is non-negotiable. Every secret read, write, and rotation event should be logged with the identity of the requester, the timestamp, and the secret path accessed (not the secret value). Feed these logs to your SIEM and alert on unusual access patterns: a service reading secrets it has never accessed before, or secret reads from unexpected IP ranges.
Next Steps
- Evaluate your infrastructure security skills with the skills assessment
- Explore DevSecOps and cloud security topics in the skills library
- Use the workspace to practice secret management configurations
Related Guides in This Series
- EDR: Endpoint Detection, Response, and Threat Hunting — HADESS | 2026
- Firewall Management: Rules, Zones, and Change Control — HADESS | 2026
- Hardware Security Modules: Key Management and Compliance — HADESS | 2026
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
