Secrets Vault Manager

Category: Engineering Domain: Secrets Management & Security

Overview

The Secrets Vault Manager skill provides tools for generating HashiCorp Vault configurations, planning and scheduling secret rotation cycles, and analyzing vault audit logs for suspicious access patterns. Essential for teams managing secrets at scale.

Quick Start

# Generate Vault configuration
python scripts/vault_config_generator.py --env production --secrets-engines kv,database,transit

# Plan secret rotation schedule
python scripts/rotation_planner.py --inventory secrets_inventory.json

# Analyze vault audit logs
python scripts/audit_log_analyzer.py --log-file vault_audit.log --format json

Tools Overview

Tool	Purpose	Key Flags
vault_config_generator.py	Generate HashiCorp Vault configurations	--env, --secrets-engines, --auth-methods
rotation_planner.py	Plan and schedule secret rotation cycles	--inventory, --policy, --format
audit_log_analyzer.py	Analyze vault audit logs for anomalies	--log-file, --time-range, --format

Workflows

Initial Vault Setup

1. Define environment and required secrets engines
2. Run vault_config_generator.py to generate HCL configs
3. Review and customize generated configurations
4. Apply via Terraform or Vault CLI

Secret Rotation Planning

1. Create secrets inventory (JSON)
2. Run rotation_planner.py to generate schedule
3. Review rotation plan and adjust frequencies
4. Implement automated rotation where possible

Audit Log Investigation

1. Export vault audit logs
2. Run audit_log_analyzer.py for anomaly detection
3. Review flagged events
4. Investigate suspicious access patterns

Reference Documentation

• Secrets Management Guide - Best practices, rotation policies, and compliance requirements

Common Patterns

Secret Classification

• Critical: Database credentials, API master keys, encryption keys
• High: Service account tokens, OAuth secrets, TLS certificates
• Medium: Third-party API keys, webhook secrets
• Low: Public API keys, non-sensitive configuration