In HashiCorp Vault, what does "dynamic secrets" refer to?

Dynamic secrets in HashiCorp Vault are specifically designed to be generated for a session and can change based on the context of that session or upon demand. Unlike static secrets, which remain the same and are stored permanently, dynamic secrets provide a way to issue credentials that are temporary and unique to each use. This ensures that the secrets can be short-lived, reducing the risk of exposure since they can be revoked or expire after a certain duration.

The nature of dynamic secrets allows them to increase security by ensuring that users or applications do not have long-term access to sensitive systems, as the credentials can be regenerated or altered as needed. This dynamic capability is particularly useful in environments where secrets need to be tailored precisely for the current requirements of the application or user, thereby enhancing the overall security posture of the system.

Dynamic secrets embody the principle of ephemeral access, thus aligning well with modern security practices that prioritize minimizing the risk of credential abuse or leakage.