What is an example of Vault generating secrets on-demand?

Vault generating secrets on-demand refers to its ability to create dynamic secrets that are valid for a specific period or purpose when explicitly requested. This functionality is a key feature of Vault’s secret management capabilities, allowing for enhanced security by minimizing the exposure of long-lived credentials.

Generating an AWS keypair with valid permissions for S3 bucket access is a clear example of on-demand secret generation. When a user requests such a keypair, Vault can create a new AWS access key with permissions tailored to the request, allowing the user immediate but temporary access to necessary resources. This approach not only automates credential creation but also ensures that the credentials are limited in scope and lifespan.

In contrast, the other options mentioned do not illustrate the concept of on-demand secret generation effectively. Manually requesting access to credentials, generating log files, or securely storing old credentials involve pre-existing data or processes that do not demonstrate the dynamic aspect of secret creation that Vault is capable of. These other activities relate more to credential management rather than the generation of new secrets as needed.