Inject secrets into Terraform using the Vault provider
Configure the AWS secrets engine to manage IAM credentials in Vault through Terraform.
Use case
Inject secrets into Terraform
Automate the usage of dynamically generated secrets and credentials.
Challenge
Long-living credentials pose a major risk for users and organizations
Many organizations have credentials hard coded in source code, littered throughout configuration files and configuration management tools, and stored in plain text in version control, wikis, and shared volumes. Safeguarding and ensuring that a credential isn’t leaked, or in the likelihood it is, that the organization can quickly revoke access and remediate, is a complex problem to solve.
Solution
Create automated short-lived dynamic credentials across your environments
A dynamic secret is generated on demand and is unique to a client, as opposed to a static secret, which is defined ahead of time and shared. HashiCorp Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. Vault supports dynamic secrets with a wide range of systems and is easily extensible with plugins.
What are dynamic secrets and why do I need them?
Keeping the same keys, passwords, and credentials for months or years is extremely risky. Modern security principles dictate that you should rotate your secrets to make it more difficult for hackers to exploit them long-term if they get them.