Interview › Security & DevSecOps
What is dynamic secrets generation in Vault, and why is it powerful? [Intermediate]
Answer
Dynamic secrets in Vault are generated on demand and have leases, expiration, and automatic revocation. They are powerful because each workload can receive unique short-lived credentials instead of sharing a static password across applications and environments.
Technical explanation
Database dynamic secrets create temporary database users with scoped permissions.
If a credential leaks, its lifetime and permission scope are limited.
Dynamic secrets improve auditability because each issued credential can be tied back to a workload and lease.
Hands-on example
Example: configure Vault's database secrets engine for PostgreSQL. The payments service requests database/creds/payments-readonly, receives a unique username/password valid for one hour, uses it for connections, and Vault revokes it automatically when the lease expires.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]