A centralised, encrypted store for managing secrets such as API keys, passwords, certificates, and tokens. Examples include HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Akeyless.
Expanded Definition
A secrets vault is the control plane for sensitive machine credentials: it stores, encrypts, brokers, and rotates API keys, passwords, certificates, and tokens used by applications, pipelines, and agents. In NHI programs, it is not just a database of secrets; it is an operational boundary for access, lifecycle, and audit. Definitions vary across vendors, but the security expectation is consistent: secrets should be centrally governed, retrievable only by authorised workloads, and recoverable without revealing plaintext to people or code. That distinction matters because vaults often sit between identity, automation, and infrastructure, which is why the OWASP Non-Human Identity Top 10 treats poor secret handling as a core NHI risk, and why operational guidance on static versus dynamic secrets is so central in the Ultimate Guide to NHIs — Static vs Dynamic Secrets.
The most common misapplication is treating a vault as a passive password repository, which occurs when teams store secrets centrally but still copy them into env files, tickets, or CI logs.
Examples and Use Cases
Implementing a secrets vault rigorously often introduces deployment friction, requiring organisations to weigh stronger control and rotation against application refactoring, access policies, and incident response complexity.
- CI/CD pipelines fetch short-lived tokens at runtime instead of embedding long-lived secrets in build variables, reducing the blast radius if a job is compromised. The CI/CD pipeline exploitation case study shows how pipeline trust can collapse when credentials are overexposed.
- Cloud workloads retrieve database passwords and signing keys from a vault through workload identity rather than human-managed distribution, which aligns with the intent behind the OWASP Non-Human Identity Top 10.
- Security teams use a vault to centralise certificate issuance and rotation for service-to-service TLS, avoiding the drift that happens when certificates are managed per application team.
- Incident responders revoke and reissue exposed tokens through the vault after a leak in source control or a chat platform. The Guide to the Secret Sprawl Challenge explains why distributed storage so often defeats containment.
- Agentic systems request scoped credentials just in time, rather than retaining standing access. That pattern is especially important when autonomous agents reach into production systems with tool access and execution authority.
Why It Matters in NHI Security
Secrets vaults reduce secret sprawl, but they only work when the vault is the enforced source of truth. If teams onboard vaults without security approval, duplicate secrets across environments, or let tokens persist after offboarding, the vault becomes another layer of complexity instead of a control. That failure mode is common in NHI environments because service accounts, agents, and automation systems often outlive the humans who created them. In Entro Security’s 2025 State of NHIs and Secrets in Cybersecurity, 62% of all secrets were duplicated and stored in multiple locations, which shows how quickly centralisation breaks down when governance is weak.
For practitioners, the vault is where access policy, rotation cadence, audit logging, and least privilege become measurable. It also supports broader controls in OWASP Non-Human Identity Top 10 by limiting standing exposure and making secret use observable. Organisations typically encounter the operational necessity of a secrets vault only after a leak, a pipeline compromise, or a cloud breach, at which point the vault becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and SPIFFE/SPIRE set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers improper secret storage and sprawl as a primary NHI risk. |
| NIST CSF 2.0 | PR.AC-1 | Supports identity and access control governance for secret retrieval and use. |
| SPIFFE/SPIRE | section-level | Defines workload identity patterns that replace shared secrets with verifiable identities. |
Bind vault access to workload identity and use short-lived credentials where possible.
