English for HashiCorp Vault

Learn the English vocabulary for HashiCorp Vault: secrets engines, leases, and dynamic secrets, explained for discussing secrets management clearly.

A hardcoded API key and a Vault-issued dynamic secret that expired thirty minutes ago look identical when a request fails with “unauthorized” — the vocabulary in this guide is what lets a team explain, precisely, which kind of secret problem they’re actually looking at.

Key Vocabulary

Secrets engine — a Vault component that stores, generates, or encrypts secrets for a specific purpose, such as the KV engine for static secrets or the database engine for generating short-lived database credentials. “We’re moving the database credentials from the KV engine to the database secrets engine so Vault issues short-lived, unique credentials per service instead of one shared static password.”

Dynamic secret — a credential generated on-demand by Vault at request time, unique to the requester and automatically revoked after its lease expires, rather than a fixed value stored and reused. “That database password isn’t static anymore — it’s a dynamic secret, generated fresh for this service and automatically revoked in an hour whether we clean it up or not.”

Lease — the time-bound validity period Vault attaches to a dynamic secret, after which the secret is automatically revoked unless explicitly renewed before expiry. “The job failed halfway through because its lease expired mid-run — we need to either renew the lease periodically or request a longer TTL for jobs this size.”

Token — the primary authentication credential in Vault, presented with every request to prove identity and determine what policies (and therefore what secrets) the caller can access. “That request failed with a permission error because the token attached to it has read-only policy — it was never authorized to write to that path.”

Seal / unseal — Vault’s locked state on startup (or after a crash), during which it can’t serve any secrets until enough unseal keys are provided to reconstruct the master key and unlock it. “Vault came back up sealed after the restart — nobody can read secrets until we run the unseal process with enough of the key shares.”

Common Phrases

  • “Is this a static secret or a dynamic one with a lease?”
  • “Did the lease expire, or is this an actual permissions issue with the token?”
  • “Is Vault sealed right now — do we need to unseal it before anything can read secrets?”
  • “What secrets engine is this credential coming from?”
  • “Does this token’s policy actually allow access to that path?”

Example Sentences

Diagnosing an authentication failure: “This isn’t a bad password — it’s a dynamic secret whose lease expired before the job finished. We either need to renew the lease during long-running jobs or request a longer TTL upfront.”

Explaining an incident after a restart: “Vault came back up sealed after the node restarted, so every service trying to fetch secrets was failing until we ran the unseal process — that’s the ten minutes of errors you’re seeing in the logs.”

Describing a migration to dynamic secrets: “We’re migrating the database credentials off the KV engine and onto the database secrets engine specifically so each service gets its own short-lived credential instead of everyone sharing one static password that never rotates.”

Professional Tips

  • Say dynamic secret, not “the password,” when the credential is Vault-generated and time-bound — it signals the failure mode is likely lease expiry, not a wrong or leaked value.
  • Always check lease expiry before assuming a credential failure is a permissions problem — the two produce similar-looking errors but require completely different fixes.
  • Reference the specific secrets engine when discussing a migration or an incident — “the database secrets engine” is diagnosable, “Vault” alone isn’t specific enough for someone else to act on.
  • Explain seal/unseal state explicitly during an incident review if it caused downtime — it’s a distinct failure mode from a normal outage and needs its own runbook entry.

Practice Exercise

  1. Write a sentence explaining the difference between a static secret and a dynamic secret.
  2. Explain what a lease is and what happens when it expires.
  3. Describe what “sealed” means for Vault and why it matters after a restart.