Centralizing Secrets Without Disrupting Applications
This presentation demonstrates how organizations can centralize secrets management using HCP Vault Secrets while minimizing disruption to application teams. The approach leverages HCP Waypoint automation to enable self-service onboarding, allowing application teams to migrate to centralized secrets management without rewriting applications or creating additional support burden for platform engineering teams. The solution addresses the common challenge of secret sprawl across databases, API keys, AWS Secrets Manager, Azure Key Vault, GitHub variables, and Azure DevOps by establishing a single source of truth that security teams can audit while maintaining granular access controls that prevent cross-contamination between applications.
Waypoint Templates and No-Code Automation
The implementation uses HCP Waypoint's three core capabilities—templates, add-ons, and actions—to automate infrastructure provisioning. Platform engineers build Terraform no-code modules that create HCP projects, Vault Secrets apps, and inject secrets, then publish these as Waypoint templates. Application teams can then self-service their onboarding by selecting templates through the Waypoint portal, which automatically generates workspaces, runs Terraform plans and applies, and provisions all necessary resources including service principals with appropriate IAM scopes. This approach eliminates ticket-based workflows and enables application teams to onboard when ready without waiting on platform teams.
Secrets Sync and Native Cloud Integration
A critical feature demonstrated is Vault Secrets' ability to sync secrets one-way from the centralized vault down to native cloud secrets management systems including AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and Terraform Cloud variables. This capability allows applications to continue using their existing integrations and code without modification—the secrets are simply sourced from the centralized system and pushed to where applications already expect them. The presentation includes live demonstrations of auto-rotating secrets (supporting up to 50 versions with two active simultaneously) and dynamic secrets generation, showing how rotated credentials automatically sync to downstream systems like AWS Secrets Manager within seconds.
Security, Audit, and Access Controls
The solution addresses security team requirements through comprehensive audit logging that captures who accessed what secrets, when, and how, with export capabilities to Splunk, Datadog, and CloudWatch. Granular IAM access controls ensure workload identity separation—each application receives service principals scoped only to their specific Vault Secrets app, preventing secret sharing between applications. The presentation demonstrates both successful and failed access attempts in audit logs, showing how the system enforces least-privilege access. The serverless nature of HCP Vault Secrets eliminates patching and version management overhead while providing enterprise-grade security controls from day one.
