Skip to content
Learni
View all tutorials
DevOps & Sécurité

How to Secure Secrets with HashiCorp Vault in 2026

18 minINTERMEDIATE
SécuritéHashiCorpVault
Lire en français

Introduction

HashiCorp Vault is the go-to solution for centralizing and securing secrets in modern environments. In 2026, cloud-native applications must avoid storing API keys or passwords in plain text. Vault provides fine-grained access control, automatic rotation, and complete auditing. This tutorial walks you through deploying Vault and integrating it into a Node.js TypeScript application step by step. You will learn how to create policies, enable secret engines, and retrieve credentials dynamically.

Prerequisites

  • Node.js 20+ and npm
  • Docker installed
  • Basic knowledge of TypeScript and REST
  • A Linux terminal or WSL

Starting Vault in dev mode

terminal
docker run -d --name vault -p 8200:8200 -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' hashicorp/vault:latest

This command launches Vault in development mode with a root token. Useful for quick testing, but never in production.

Vault client configuration

src/vault-client.ts
import * as vault from 'node-vault';

const client = vault({
  apiVersion: 'v1',
  endpoint: 'http://localhost:8200',
  token: process.env.VAULT_TOKEN || 'myroot'
});

export default client;

This module initializes the Vault client with the root token. Always store the token in an environment variable.

Enabling the KV v2 engine

terminal
curl -X POST -H "X-Vault-Token: myroot" \
  -d '{"type":"kv","options":{"version":"2"}}' \
  http://localhost:8200/v1/sys/mounts/secret

Enables the KV version 2 engine under the /secret path to store versioned key-value pairs.

Creating an access policy

policy.json
{
  "path": {
    "secret/data/app/*": {
      "capabilities": ["read", "list"]
    }
  }
}

This policy restricts access to application secrets. Apply it afterward via the API or Vault UI.

Applying the policy and creating a token

terminal
curl -X POST -H "X-Vault-Token: myroot" \
  -d '{"policies":["app-policy"]}' \
  http://localhost:8200/v1/auth/token/create

Generates a token limited to the app-policy. Use this token in your applications instead of the root token.

Best practices

  • Always use short-lived, renewable tokens
  • Enable audit logging as soon as you go to production
  • Prefer dynamic secrets (database, AWS) over static ones
  • Store the root token offline and disable it after initialization
  • Version all your policies in Git

Common mistakes to avoid

  • Leaving dev mode enabled in production
  • Forgetting to renew tokens before expiration
  • Storing the root token in source code
  • Not enabling TLS for client-server communications

Going further

Discover our advanced courses on secret management and cloud security: https://learni-group.com/formations