Problem: 340 static credentials in 11 services. Revoking one credential required coordinating a deployment across all 11 services simultaneously — which was never done. HIPAA audit flagged the contractor access gap.
Solution: Each service authenticates to Vault via Kubernetes service account token (Vault Kubernetes auth). Vault issues a Postgres role with 1-hour TTL, revoked automatically on expiry. External Secrets Operator synced Vault secrets into Kubernetes secrets — no application code changes required. 340 credentials mapped to 52 unique access patterns. All Vault policies written as Terraform code, reviewed in PRs.
Technology: HashiCorp Vault · Kubernetes · External Secrets Operator · Terraform · Postgres
Optimisation pattern: static-env-var-credentials-to-vault-dynamic-secrets-with-k8s-auth
Outcomes:
Zero long-lived database credentials in production. Offboarding verification: under 15 minutes for any future departure. Vault policies: 100% in Git, reviewable in history. HIPAA audit finding on credential management: closed.