English for HashiCorp Vault
Learn the English vocabulary for HashiCorp Vault: secrets engines, leases, and dynamic secrets, explained for discussing secrets management clearly.
A hardcoded API key and a Vault-issued dynamic secret that expired thirty minutes ago look identical when a request fails with “unauthorized” — the vocabulary in this guide is what lets a team explain, precisely, which kind of secret problem they’re actually looking at.
Key Vocabulary
Secrets engine — a Vault component that stores, generates, or encrypts secrets for a specific purpose, such as the KV engine for static secrets or the database engine for generating short-lived database credentials. “We’re moving the database credentials from the KV engine to the database secrets engine so Vault issues short-lived, unique credentials per service instead of one shared static password.”
Dynamic secret — a credential generated on-demand by Vault at request time, unique to the requester and automatically revoked after its lease expires, rather than a fixed value stored and reused. “That database password isn’t static anymore — it’s a dynamic secret, generated fresh for this service and automatically revoked in an hour whether we clean it up or not.”
Lease — the time-bound validity period Vault attaches to a dynamic secret, after which the secret is automatically revoked unless explicitly renewed before expiry. “The job failed halfway through because its lease expired mid-run — we need to either renew the lease periodically or request a longer TTL for jobs this size.”
Token — the primary authentication credential in Vault, presented with every request to prove identity and determine what policies (and therefore what secrets) the caller can access. “That request failed with a permission error because the token attached to it has read-only policy — it was never authorized to write to that path.”
Seal / unseal — Vault’s locked state on startup (or after a crash), during which it can’t serve any secrets until enough unseal keys are provided to reconstruct the master key and unlock it. “Vault came back up sealed after the restart — nobody can read secrets until we run the unseal process with enough of the key shares.”
Common Phrases
- “Is this a static secret or a dynamic one with a lease?”
- “Did the lease expire, or is this an actual permissions issue with the token?”
- “Is Vault sealed right now — do we need to unseal it before anything can read secrets?”
- “What secrets engine is this credential coming from?”
- “Does this token’s policy actually allow access to that path?”
Example Sentences
Diagnosing an authentication failure: “This isn’t a bad password — it’s a dynamic secret whose lease expired before the job finished. We either need to renew the lease during long-running jobs or request a longer TTL upfront.”
Explaining an incident after a restart: “Vault came back up sealed after the node restarted, so every service trying to fetch secrets was failing until we ran the unseal process — that’s the ten minutes of errors you’re seeing in the logs.”
Describing a migration to dynamic secrets: “We’re migrating the database credentials off the KV engine and onto the database secrets engine specifically so each service gets its own short-lived credential instead of everyone sharing one static password that never rotates.”
Professional Tips
- Say dynamic secret, not “the password,” when the credential is Vault-generated and time-bound — it signals the failure mode is likely lease expiry, not a wrong or leaked value.
- Always check lease expiry before assuming a credential failure is a permissions problem — the two produce similar-looking errors but require completely different fixes.
- Reference the specific secrets engine when discussing a migration or an incident — “the database secrets engine” is diagnosable, “Vault” alone isn’t specific enough for someone else to act on.
- Explain seal/unseal state explicitly during an incident review if it caused downtime — it’s a distinct failure mode from a normal outage and needs its own runbook entry.
Practice Exercise
- Write a sentence explaining the difference between a static secret and a dynamic secret.
- Explain what a lease is and what happens when it expires.
- Describe what “sealed” means for Vault and why it matters after a restart.