AWS secrets engine
The AWS secrets engine generates AWS access credentials dynamically based on IAM policies.
Use case
Dynamic secrets
Generate time-based access credentials dynamically based on policies and revoke access when lease expires.
Challenge
Long-living credentials pose a major risk for users and organizations
Many organizations have credentials hard coded in source code, littered throughout configuration files and configuration management tools, and stored in plaintext in version control, wikis, and shared volumes. Safeguarding and ensuring that a credentials isn’t leaked, or in the likelihood it is, that the organization can quickly revoke access and remediate, is a complex problem to solve.
Solution
A dynamic secret is generated on demand and is unique to a client, instead of a static secret, which is defined ahead of time and shared. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. Vault supports dynamic secrets with a wide range of systems and is easily extensible with plugins.
400+
unique applications across thousands of nodes
100K+
secrets requests per day
73+
million developers
Resources
Docs
Explore all
Tutorials
Explore all
Dynamic secrets on AWS
Vault can generate on-demand access to AWS.
Dynamic secrets: Database secrets engine
Use the database secrets engine to dynamically generate database credentials.
Injecting secrets into Kubernetes pods via Vault Agent containers
Learn how to inject Vault secrets into Kubernetes pods via a sidecar container.
What are dynamic secrets and why do I need them?
Keeping the same keys, passwords, and credentials for months or years is extremely risky. Modern security principles dictate that you should rotate your secrets to make it more difficult for hackers to exploit them long-term if they get them.
Armon Dadgar
Co-founder & CTO