If your database password is in a .env file or a GitHub Secret, you have a "static secret" problem. If that secret is leaked, it’s valid until someone manually rotates it. As an architect, I advocate for Dynamic Secrets.
1. The Vault Workflow
Instead of your application "knowing" the password, it authenticates with Vault using its IAM role (on AWS) or ServiceAccount (on Kubernetes). Vault then generates a time-limited credential.
2. Implementation: AWS IAM Auth
# Policy for the Application
path "database/creds/readonly" {
capabilities = ["read"]
}The application then performs a login:
- App sends its signed AWS Identity document to Vault.
- Vault verifies the identity with AWS STS.
- Vault returns a token with a 1-hour TTL.
3. Troubleshooting: Token Revocation
One major benefit is the "Nuclear Option." If you detect an intrusion, you can revoke all tokens for a specific path instantly without changing the master database password. This drastically reduces the "Blast Radius" of a security event.