Training Agenda

HashiCorp Vault

HashiCorp Vault is the industry-standard secrets management platform — a centralized store for API keys, database credentials, TLS certificates, and encryption keys. Unlike static secrets in environment variables or config files, Vault issues dynamic short-lived credentials, provides fine-grained access control, and maintains a complete audit trail of every secret access.

2 days On-site, remote, or hybrid Up to 20 participants German or English
What We Cover
Dynamic secrets, PKI automation, and zero-static-credential Kubernetes workloads
Day 1

Core Concepts — Secret Engines, Auth Methods & Policies

  • Vault architecture: storage backends (Consul, Integrated Storage/Raft), seal/unseal process, HA configuration
  • KV v2 secret engine: versioned secrets, check-and-set, soft deletion, metadata, secret leasing
  • Database secret engine: dynamic credentials for PostgreSQL, MySQL, MongoDB — TTL, max TTL, rotation
  • PKI secret engine: issuing X.509 certificates, root and intermediate CA setup, CRL distribution, cert revocation
  • AWS/GCP dynamic credentials: IAM role assumption, dynamic access keys, service account tokens with TTL
  • Authentication methods: Token (root vs periodic), AppRole (role_id/secret_id), LDAP, GitHub auth
  • Policies and ACL rules: HCL policy syntax, path-based permissions, capabilities (read/write/delete/list), policy inheritance
Day 2

Kubernetes Integration, Multi-tenancy & Operations

  • Kubernetes auth method: ServiceAccount JWT validation, bound_service_account_names, role configuration
  • Vault Agent sidecar injection: annotations for auto-injection, template blocks for rendered secret files, init containers
  • Vault Secrets Operator (VSO): VaultStaticSecret and VaultDynamicSecret CRDs for native Kubernetes Secret sync
  • Vault Agent caching: reducing Vault API load with agent caching proxy, persistent vs in-memory cache
  • Namespaces for multi-tenancy: Vault Enterprise namespace isolation, path-based tenancy with KV mounts in OSS
  • Disaster recovery replication: DR vs performance replication, failover procedures, RPO/RTO considerations
  • Monitoring and operations: Prometheus metrics from Vault, audit log analysis, seal migration (Shamir to auto-unseal)
Learning Outcomes
What your team walks away with

Participants leave with the skills to deploy Vault in production, eliminate static credentials from Kubernetes workloads, and automate internal PKI — while maintaining a complete audit trail.

Book the HashiCorp Vault training

Reach out to schedule a session for your team — remote, on-site, or hybrid, in German or English.

Get in touch