• Plugin model—store, generate, encrypt secrets
    • Some store secrets; some call to 3rd party APIs—dynamic secrets
  • Path prefix—associated with secrets engine
    • Requests routed to secrets engine based on path
    • Each path isolated—secrets engines can’t communicate with secrets engines at different paths


vault secrets enable [-path=<PATH>] <SECRETS_ENGINE>
vault secrets disable <PATH>/
  • -path=<PATH> optional—defaults to name of secrets engine

Dynamic Secrets Engines

  • Generated when accessed
  • Built-in revocation—can be revoked immediately after use


Graph View