Skip to main content

Module 9: Secrets Management & Machine Identity Slides

Slide walkthrough for Module 9 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Vault, dynamic secrets,...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Secrets Management & Machine Identity - Vault, dynamic secrets, certificate rotation, and replacing secret sprawl with workload identity
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - Secret sprawl is consistently in the top 3 causes of cloud-native breaches. Every leaked API key, every long-lived certi
  4. Before vs After - The operational shift this module teaches
  5. Kubernetes Secrets: The Problem - Lesson section from the full module
  6. HashiCorp Vault Integration - Lesson section from the full module
  7. Dynamic Secrets - Lesson section from the full module
  8. Replacing Secrets with Workload Identity - Lesson section from the full module
  9. Real-World Use Cases - Eliminating static database passwords with Vault dynamic secrets, SPIFFE-based Vault authentication (no token distribution)
  10. Common Mistakes to Avoid - 4 mistakes covered
  11. Hands-On Labs - 2 hands-on labs
  12. Key Takeaways - 5 points to remember

Learning Objectives

  • Integrate HashiCorp Vault with Kubernetes
  • Implement dynamic secrets and automatic rotation
  • Replace static credentials with workload identity
  • Design a secrets management strategy for production

Why This Module Matters

Secret sprawl is consistently in the top 3 causes of cloud-native breaches. Every leaked API key, every long-lived certificate, every hardcoded password is a potential headline. This module teaches you to systematically eliminate static secrets and replace them with identity-based authentication and dynamic credentials.

Common Mistakes

  • Storing Vault tokens as Kubernetes Secrets (replaces one secret problem with another)
  • Not encrypting Kubernetes Secrets at rest in etcd
  • Using static database passwords shared across all services
  • Not implementing credential rotation — "it works fine" until the breach

Key Takeaways

  • Secret sprawl is a top cloud-native security risk — every static secret is a breach vector
  • Vault provides encrypted storage, dynamic credentials, and PKI — but needs its own auth
  • SPIFFE SVIDs replace Vault tokens — workloads authenticate to Vault with their identity
  • Dynamic secrets (short-lived, auto-revoked) are always better than static passwords
  • The goal: zero static secrets in your infrastructure

Hands-On Labs

  1. Integrate Vault with Kubernetes

    Deploy Vault and configure Kubernetes authentication.

    35 min - Intermediate

    • Deploy Vault in dev mode on Kubernetes
    • Enable Kubernetes auth backend
    • Create a policy for a service account
    • Retrieve secrets from a pod using the Vault agent

    View lab files on GitHub

  2. Dynamic Secret Rotation

    Configure Vault to issue short-lived database credentials.

    30 min - Intermediate

    • Deploy PostgreSQL
    • Configure Vault database secrets engine
    • Generate dynamic credentials with 1-hour TTL
    • Verify automatic revocation after TTL expires

    View lab files on GitHub

Read the full module | Back to course curriculum