What is an example of Vault generating secrets on-demand?

Generating an AWS keypair with valid permissions for S3 bucket access is a prime example of Vault generating secrets on-demand. This process involves Vault creating a new keypair in real-time at the moment a user or application requests access to AWS resources. By dynamically creating these credentials, Vault ensures that the permissions are tailored to the specific request and can be limited in lifespan, enhancing security.

This on-demand generation of secrets is a core feature of HashiCorp Vault, as it allows for temporary credentials that do not persist beyond their required usage, reducing the risk of credential exposure and ensuring least privilege access. When combined with policies that govern which users or applications can request these credentials, it provides a robust security mechanism for managing sensitive access tokens or API keys.

The other options do not exemplify this dynamic generation of secrets: manually requesting access to credentials refers to a static retrieval process, while generating log files is unrelated to secret creation entirely, and storing old credentials securely deals with existing secrets rather than generating new ones. Thus, the focus on on-demand generation distinctly aligns with the nature of option C.