|
1 | | -// Placeholder for Use Dynamic Credentials |
| 1 | +--- |
| 2 | +page_title: Use dynamic credentials |
| 3 | +description: Use dynamic credentials to replace long lived accounts that are not used often to improve security. |
| 4 | +--- |
| 5 | + |
| 6 | +# Use dynamic credentials |
| 7 | + |
| 8 | +Strong identity and access management practices are critical to building a secure |
| 9 | +environment. While some credentials need to always be available, some |
| 10 | +credentials can be dynamic and short-lived, reducing the risk of exposure while |
| 11 | +increasing your security posture. |
| 12 | + |
| 13 | +## What are dynamic credentials |
| 14 | + |
| 15 | +Dynamic credentials are temporary - short-lived credentials, generated on-demand |
| 16 | +and automatically expire after a specified period. They are typically used in |
| 17 | +scenarios where long-lived credentials are not necessary or pose a security risk. |
| 18 | + |
| 19 | +<VideoEmbed url="https://www.youtube.com/watch?v=1YNDSCcGbcQ"/> |
| 20 | + |
| 21 | +## Why use dynamic credentials |
| 22 | + |
| 23 | +You can generate dynamic credentials for various services, applications, |
| 24 | +and users, allowing them to authenticate without exposing their long-term credentials. |
| 25 | +This approach minimizes the attack surface and reduces the likelihood of |
| 26 | +credential theft or misuse. |
| 27 | + |
| 28 | +When a service needs to connect to another service such as a database, it |
| 29 | +requires some method to authenticate. Traditionally, this might be a username |
| 30 | +and password or an API token. When these credentials are available for a long |
| 31 | +period of time, there is a greater potential for those credentials to become |
| 32 | +compromised. |
| 33 | + |
| 34 | +<VideoEmbed url="https://www.youtube.com/watch?v=E9XDfOVNN2U"/> |
| 35 | + |
| 36 | +HashiCorp Vault supports generating dynamic credentials for various cloud |
| 37 | +providers and other systems. For example, Vault can generate dynamic |
| 38 | +credentials using a supported secrets engine for Kubernetes, AWS, Azure, Google Cloud, and |
| 39 | +database services like PostgreSQL, MySQL, and Microsoft SQL. |
| 40 | + |
| 41 | +Many of the secrets engines supported by Vault allow you to manage static |
| 42 | +credentials as well. You onboard the static account to Vault, allowing Vault to |
| 43 | +manage the lifecycle of the password for that account when dynamic |
| 44 | +credentials are not supported. |
| 45 | + |
| 46 | +Vault dynamic secrets also integrate with other HashiCorp tools and services |
| 47 | +like Boundary, allowing you to provide secure access to developers without ever |
| 48 | +having to share or expose the credentials. |
| 49 | + |
| 50 | +<VideoEmbed url="https://www.youtube.com/watch?v=69UFSAIDQgM"/> |
| 51 | + |
| 52 | +HCP Terraform integrates with Vault allowing Terraform to generate dynamic |
| 53 | +credentials during a deployment. This approach allows you to avoid managing |
| 54 | +credentials separately. |
| 55 | + |
| 56 | +HashiCorp resources: |
| 57 | + |
| 58 | +- [Understand static and dynamic secrets](/vault/tutorials/get-started/understand-static-dynamic-secrets) |
| 59 | +- [Use Vault-backed dynamic secrets in HCP Terraform](/terraform/cloud-docs/workspaces/dynamic-provider-credentials/vault-backed) |
| 60 | +- [Connect to Kubernetes using Vault and Boundary](/boundary/tutorials/kubernetes-connect/kubernetes-getting-started-intro) |
| 61 | +- [HCP Boundary Vault credential brokering quickstart](/boundary/tutorials/credential-management/hcp-vault-cred-brokering-quickstart) |
| 62 | +- [SSH certificate injection with HCP Boundary and Vault](/boundary/tutorials/credential-management/hcp-certificate-injection) |
| 63 | + |
| 64 | +External resources: |
| 65 | + |
| 66 | +- [NIST SP 800-53 Security and Privacy Controls for Information Systems](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) |
| 67 | +- [NIST SP 800-207 Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) |
| 68 | +- [OWASP Credential Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html) |
| 69 | + |
| 70 | +## Next steps |
| 71 | + |
| 72 | +Following these documents in order ensures a logical progression through the key |
| 73 | +concepts and best practices, helping you build a strong foundation to build your |
| 74 | +identity and access management program. |
| 75 | + |
| 76 | +- [Define access requirements](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements) |
| 77 | +- [Grant least privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege) |
| 78 | +- [Create permissions and guardrails](/well-architected-framework/secure-systems/identity-access-management/create-permissions-guardrails) |
| 79 | +- [Centralize identity management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management) |
| 80 | +- [Implement strong sign-in workflows](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows) |
| 81 | +- **Use dynamic credentials (this document)** |
| 82 | +- [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle) |
| 83 | + |
| 84 | +In this section of **Identity and access management** you learned how replacing |
| 85 | +long live, static credentials with temporary credentials helps improve security. |
| 86 | +Identity and access management is part of the [Secure |
| 87 | +systems](/well-architected-framework/secure-systems) pillar. |
0 commit comments