Vault Proxy Dynamic Secrets

Configuring Dynamic Secrets with Hashicorp Vault Proxy

Configuring Hashicorp Vault Proxy

  1. Set akeyless-vault url in: VAULT_ADDR environment variable:
export VAULT_ADDR=
  1. Now, you'll need to configure the authentication token that would be used by Vault CLI to fetch secrets from Akeyless Vault.
    Set your Akeyless token in ~/.vault-token
    Supported tokens:
    Permanent token in the following structure: Access-ID+..+Access-Key, for example:

Get dynamic secret with Vault CLI

vault read {producer-type}/creds/{full/path/to/producer-name}

Supported producer types:



vault read */creds/prod/ds-db1
vault read db/creds/prod/ds-db1
vault read mysql/creds/prod/ds-db1

Key                Value
---                -----
lease_id           */creds/prod/ds-db1/vTyDFRr5m01gVaNBYsokIRop
lease_duration     768h
lease_renewable    true
password           of6B6IY/~+i$$Z80
username           tmp.rnnds.hOKbRAqI5j

vault read */creds/my-aws-producer
vault read aws/creds/my-aws-producer

Key                  Value
---                  -----
lease_id             */creds/my-aws-producer/25F5E8gupyoi2dQIynoM9nff
lease_duration       768h
lease_renewable      true
access_key_id        AKIA6IR7NIGBGGDIWW7I
secret_access_key    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
username             tmp.JJRXoSsvDuj1Dp

Working with static secrets

Create/update secret

Create a new static secret in Akeyless vault, if already exists, then it will add a new version for that secret.

vault kv put secret/{secret-name} {my-key}={my-value}

Get secret

Will retrieve the value from Akeyless Vault.

vault kv get secret/{secret-name}



An optional flag: -version to get a specific version of the secret for example:

vault kv get -version=3 secret/{secret-name}

Default value is the latest version.

Delete secret

To delete a secret from Akeyless vault

vault kv delete secret/{secret-name}



An optional flag: -versions , a list of specific versions you would like to delete from Akeyless vault , for example:

vault kv delete -versions=2,6,15 secret/{secret-name}

If no version is sent all your secret versions will be deleted as well