Skip to content
SSE reading notes

Vault — Theory

Vault — Theory (concise)

Section titled “Vault — Theory (concise)”

Identity-driven access

Section titled “Identity-driven access”

Vault flips the model: identity → policies → access. Apps don’t get a static password; they prove identity (K8s SA, AWS role, etc.), Vault returns a scoped token that can fetch only what its policies allow.

This means:

  • Compromise of the app doesn’t leak persistent credentials.
  • Revoke an identity → every credential tied to it dies.
  • Per-environment, per-service policies enforced centrally.

Lease lifecycle

Section titled “Lease lifecycle”

Dynamic creds:

  1. App authenticates → gets Vault token.
  2. App requests database/creds/api.
  3. Vault generates DB user with TTL (e.g. 1h), stores lease ID.
  4. App uses creds; before expiry, renews lease.
  5. On lease expiry or explicit revoke, Vault drops the DB user.

Renewal can happen automatically with sidecars (Vault Agent).

Secret zero (the bootstrap problem)

Section titled “Secret zero (the bootstrap problem)”

How does the first credential reach the app?

  • Cloud auth (AWS IAM, GCP, Azure) — instance metadata + role.
  • K8s — projected ServiceAccount JWT.
  • OIDC from CI — GitHub Actions OIDC, GitLab JWT.
  • AppRole + Secret-ID delivered out-of-band — orchestrator injects.

Pre-cloud, this used to be the messy part; now generally solved.

High availability

Section titled “High availability”
  • Raft storage (built-in) — quorum of nodes.
  • Auto-unseal with cloud KMS — automated startup.
  • DR replication (Enterprise) — async copy to another cluster.

Encryption-as-a-service (Transit)

Section titled “Encryption-as-a-service (Transit)”

Apps don’t hold encryption keys; they call Vault to encrypt/decrypt. Transit supports:

  • AEAD encryption.
  • Datakey generation (envelope encryption).
  • Sign / verify (RSA, ECDSA, Ed25519).
  • Convergent encryption (deterministic).

Useful when:

  • Many apps need to share encrypted data.
  • Compliance requires central key access logs.
  • You want easy key rotation without re-encryption (versioned keys).

Rotation

Section titled “Rotation”
  • Static secrets via root rotation (DB engine), credential rotation (DB user pwd).
  • Dynamic creds rotate automatically (TTL).
  • App needs to re-fetch on lease expiry — Vault Agent handles transparently.

Common interview Qs

Section titled “Common interview Qs”
  1. Why Vault over AWS Secrets Manager? Cross-cloud, dynamic creds, transit, PKI, fine policies, OSS option. SM works fine if all-AWS and you just need static secrets + rotation.
  2. Vault Agent — what? Sidecar that auto-auths, fetches secrets, renews leases, can render templates → files for the app.
  3. K8s auth flow? SA JWT projected in pod → Vault Agent presents → Vault calls K8s TokenReview → assigns Vault role.
  4. What does seal/unseal do? Vault encrypts its own backend with master key. On start, master key not loaded — must be assembled (Shamir) or fetched from KMS.
  5. Audit log? Every request + response (sensitive fields hashed). Stream to file/socket/syslog. Required for SOC/PCI.
  6. Disaster recovery? Snapshot Raft regularly; DR replication for Enterprise; restore tested.
  7. Why is database engine better than KV? No long-lived static creds; per-app/per-job DB user; revoke a lease = kill DB user.

Anti-patterns

Section titled “Anti-patterns”
  • Same root token used by app and CI.
  • Permanent admin tokens for apps.
  • Large policies granting * paths.
  • Unsealing via human interaction every restart.
  • No audit logging.
  • Single-replica Vault in prod.
  • Pinning very old TLS / using HTTP for Vault traffic.