Vault Credential Policy — MANDATORY, NO EXCEPTIONS¶
STATUS: ACTIVE OWNER: Piotr (Secrets Manager) ENFORCEMENT: All agents, all sessions, all environments COMPLIANCE: ISO 27001 A.8.24 (Cryptographic controls), SOC 2 CC6.1 (Logical access)
Rule¶
ALL credentials, secrets, API keys, passwords, and tokens MUST be stored in and retrieved from HashiCorp Vault. There are ZERO exceptions to this rule.
This applies to: - Platform credentials (GitLab, ArgoCD, Redis, PostgreSQL, Minio) - Client project credentials (API keys, database passwords) - Agent credentials (LLM API keys, tool tokens) - Infrastructure credentials (k8s service accounts, TLS certificates) - Temporary credentials (personal access tokens, session tokens)
What Is NOT Acceptable¶
- Storing credentials in k8s secrets as the primary source
- Storing credentials in
.envfiles - Storing credentials in
~/.git-credentialsor~/.docker/config.json - Hardcoding credentials in shell scripts
- Printing credentials to terminal/logs
- Storing credentials in memory files (
.claude/,.config/) - Using k8s secrets without Vault as the upstream source
How To Use Vault¶
Storing a credential¶
VAULT_TOKEN=$(kubectl get secret vault-token -n ge-system -o jsonpath='{.data.token}' | base64 -d)
kubectl exec -n ge-system deployment/vault -- sh -c "
export VAULT_TOKEN='$VAULT_TOKEN'
vault kv put secret/ge/<service>/<credential-name> value='<credential-value>'
"
Retrieving a credential¶
VAULT_TOKEN=$(kubectl get secret vault-token -n ge-system -o jsonpath='{.data.token}' | base64 -d)
VALUE=$(kubectl exec -n ge-system deployment/vault -- sh -c "
export VAULT_TOKEN='$VAULT_TOKEN'
vault kv get -field=value secret/ge/<service>/<credential-name>
")
For k8s deployments¶
- k8s secrets should be POPULATED FROM Vault (not the other way around)
- Use Vault Agent Injector or External Secrets Operator for automatic sync
- Manual:
bootstrap-secrets.shreads from Vault and creates k8s secrets
Vault Path Structure¶
| Path | Contents | Managed By |
|---|---|---|
secret/ge/anthropic |
Anthropic API key | Piotr |
secret/ge/redis |
Redis password | Piotr |
secret/ge/gitlab-admin |
GitLab root password | Piotr |
secret/ge/gitlab-pat |
GitLab access tokens | Piotr |
secret/ge/argocd |
ArgoCD admin password | Piotr |
secret/ge/upcloud |
UpCloud API key | Piotr |
secret/admin-ui/api-keys |
All LLM provider API keys | Piotr |
secret/admin-ui/redis |
Admin UI Redis password | Piotr |
Incident History¶
- INC-20260401: 5 credentials stored outside Vault during CI/CD setup. RESOLVED. See incidents/INC-20260401-vault-credential-bypass.md