HashiCorp Vault is a widely-used secrets management platform that provides secure storage and access control for sensitive data including API keys, passwords, certificates, and cryptographic keys. It is used to centralize secrets management, implement dynamic secrets, automate certificate lifecycle management, and encrypt data in transit and at rest.
The HashiCorp Vault Discovery Plugin can discover and catalog cryptographic assets stored across various vault secrets engines and extract metadata, including:
- PKI Certificates—TX.509 certificates managed by a Vault's PKI secrets engine.
- Transit Keys—Cryptographic keys used for encryption-as-a-service operations.
- KV Secrets—Key-value secrets that may contain certificates, keys, or other sensitive data.
- Other Secrets Data—Other secrets supported by various Vault secrets engines. This can include database credentials, cloud credentials, and more.
The HashiCorp Vault Discovery Plugin supports the following Vault engines (when enabled and permitted by policy):
- KV (Key-Value) v1/v2
- Transit (cryptographic keys)
- PKI (certificates/issuers)
- Others as supported by plugin version
The plugin does not support incremental scanning. Each scan operation processes all certificates in the specified region regardless of when they were last modified.