Overview

Static long-lived credentials pose a significant security risk due to the potential for accidental and malicious exposure as well as difficulties in revocation once the credentials are compromised. HCP Vault Secrets offers two ways of mitigating this risk: auto-rotating secrets and dynamic secrets (discribed below). For a more in-depth comparison between these two secret types, please refer to this section.

Dynamic secrets generate credentials on demand that are short-lived and unique to each client. Their ephemeral and exclusive nature:

• Minimizes the potential window of opportunity for attackers
• Simplifies their lifecycle management
• Makes them highly auditable and traceable

Dynamic secrets are ideal for time-bound workflows such as deployment pipelines, Terraform runs, serverless applications and more.

Key concepts

• Dynamic credentials are sensitive data, such as tokens or keys, granting your app access to the provider. They are time-bound and generated on-demand when you access a dynamic secret.
• Dynamic secrets are blueprints that define how HCP Vault Secrets will provision dynamic credentials. They do not contain sensitive data themselves.
• Integrations manage the authentication and connection details that HCP Vault Secrets uses to access the providers and provision dynamic credentials.
• Principals are privilege holders, such as an AWS IAM role, associated with a dynamic secret. Credentials generated for a dynamic secret possess the privileges from that principal.
• Providers are systems like AWS that dynamic credentials allow your application to access.
• Time to live (TTL) is the duration for which the dynamic credentials are valid before they expire on their own.

Limitations

• Dynamic secrets cannot be synced.