What happens to dynamic secrets after their lease expires in Vault?

When dynamic secrets in Vault reach their lease expiration, they are automatically revoked by the system. This automatic revocation process is a core feature of Vault's secret management, ensuring that secrets that are no longer valid cannot be used, thereby enhancing security.

Dynamic secrets are generated on-the-fly and often have a limited lifespan, ensuring that even if a secret is compromised, the exposure time is minimized. Upon expiration, the secret is retrieved from the Vault and revoked, removing access for any user or application that might have been utilizing it. This automated management of secrets helps maintain tight control over access and significantly reduces the risk of unauthorized access over time.

This feature underscores the critical aspect of dynamic secrets: they are intended to provide temporary access to data and services, with predefined expiration times to minimize risks associated with long-lived credentials. Other options, such as having the secrets remain active indefinitely, archived for future use, or permanently deleted, do not align with the operational principles of dynamic secrets in Vault.