Overview
Private Beta available!
Dynamic secrets are available for Private Beta access through invitation only.
Dynamic secrets generate credentials on demand that are short-lived and unique to each client. Their ephemeral and exclusive nature:
- Minimizes the potential window of opportunity for attackers
- Simplifies their lifecycle management
- Makes them highly auditable and traceable
Dynamic secrets are ideal for time-bound workflows such as deployment pipelines, Terraform runs, serverless applications and more.
Key concepts
- Dynamic credentials are sensitive data, such as tokens or keys, granting your app access to the provider. They are time-bound and generated on-demand when you access a dynamic secret.
- Dynamic secrets are blueprints that define how HCP Vault Secrets will provision dynamic credentials. They do not contain sensitive data themselves.
- Integrations manage the connection HCP Vault Secrets uses to access the providers and provision dynamic credentials.
- Principals are privilege holders, such as an AWS IAM role, associated with a dynamic secret. Credentials generated for a dynamic secret possess the privileges from that principal.
- Providers are systems like AWS that dynamic credentials allow your application to access.
- Time to live (TTL) is the duration for which the dynamic credentials are valid before they expire on their own.
Limitations
- The
vltCLI does not support fetching dynamic secrets. This feature is available in the HCP CLI. - Dynamic secrets cannot be synced.
- Integrations and dynamic secret configurations cannot be edited after their initial creation.