Vault Secret Organization#
Overview#
When migrating to HashiCorp Vault, proper secret organization is crucial for security, scalability, and operational efficiency. This guide provides standardized patterns for organizing secrets in your HCP Vault namespaces.
Namespace Structure#
All secrets are organized under your team's namespace:
admin/<CESI>/secret/...
Example: admin/devex/secret/...
Organization Patterns#
Pattern 1: Environment-First Structure#
Best for teams that work primarily within specific environments.
admin/devex/secret/
├── dev-database/
│ ├── web-app/
│ │ ├── username: "webapp_dev"
│ │ └── password: "secure_password"
│ └── api-service/
│ ├── username: "api_dev"
│ └── password: "api_password"
├── tst-database/
│ ├── web-app/
│ │ ├── username: "webapp_tst"
│ │ └── password: "tst_password"
├── prd-database/
│ ├── web-app/
│ │ ├── username: "webapp_prd"
│ │ └── password: "prd_password"
├── dev-api/
│ └── stripe/
│ ├── api_key: "sk_test_..."
│ └── webhook_secret: "whsec_..."
└── prd-api/
└── stripe/
├── api_key: "sk_live_..."
└── webhook_secret: "whsec_..."
Pattern 2: Application-First Structure#
Best for teams managing multiple applications across environments.
admin/devex/secret/
├── web-application/
│ ├── dev/
│ │ ├── database/
│ │ │ ├── username: "webapp_dev"
│ │ │ └── password: "dev_password"
│ │ └── api-keys/
│ │ └── stripe_key: "sk_test_..."
│ ├── tst/
│ │ ├── database/
│ │ │ ├── username: "webapp_tst"
│ │ │ └── password: "tst_password"
│ └── prd/
│ ├── database/
│ │ ├── username: "webapp_prd"
│ │ └── password: "prd_password"
│ └── api-keys/
│ └── stripe_key: "sk_live_..."
├── api-service/
│ ├── dev/
│ │ └── database/
│ │ ├── username: "api_dev"
│ │ └── password: "api_dev_password"
│ └── prd/
│ └── database/
│ ├── username: "api_prd"
│ └── password: "api_prd_password"
Pattern 3: Service-Type Structure#
Best for organizations with specialized teams (database, security, etc.).
admin/devex/secret/
├── databases/
│ ├── postgresql/
│ │ ├── dev/app1/
│ │ │ ├── username: "app1_dev"
│ │ │ └── password: "dev_password"
│ │ └── prd/app1/
│ │ ├── username: "app1_prd"
│ │ └── password: "prd_password"
│ └── oracle/
│ ├── dev/app1/
│ │ ├── username: "oracle_dev"
│ │ └── password: "oracle_dev_password"
│ └── prd/app1/
│ ├── username: "oracle_prd"
│ └── password: "oracle_prd_password"
├── api-keys/
│ ├── external-services/
│ ├── dev/
│ │ ├── stripe/api_key: "sk_test_..."
│ │ └── sendgrid/api_key: "SG.dev..."
│ └── prd/
│ ├── stripe/api_key: "sk_live_..."
│ └── sendgrid/api_key: "SG.live..."
Pattern 4: AAP Integration Structure#
Best for teams using Ansible Automation Platform for automated workflows.
admin/devex/secret/
├── aap/
│ ├── app1/
│ │ ├── dev/
│ │ │ ├── username: "app1_dev_user"
│ │ │ └── password: "app1_dev_password"
│ │ └── prd/
│ │ ├── username: "app1_prd_user"
│ │ └── password: "app1_prd_password"
│ ├── service-accounts/
│ │ ├── monitoring/
│ │ │ ├── username: "monitor_user"
│ │ │ └── password: "monitor_password"
│ │ └── backup/
│ │ ├── username: "backup_user"
│ │ └── password: "backup_password"
│ └── api-tokens/
│ ├── azure-token: "azure_api_token"
│ ├── github-token: "ghp_github_token"
Secret Naming Conventions (Recommended)#
Path Names#
- Use lowercase with hyphens:
dev-database,prd-api - Include environment clearly in the path
- Use descriptive names:
external-services,web-application
Key Names#
- Use lowercase with underscores:
username,password,api_key - Be consistent across environments
- Include context when helpful:
rotation_policy,last_rotated
These are recommended conventions for consistency and best practices. Teams may adapt naming based on their specific requirements.
Conclusion#
Choose the pattern that best fits your team's workflow:
- Environment-First: Teams organized by environment (dev team, prod team)
- Application-First: Teams own applications end-to-end
- Service-Type: Specialized teams (database team, security team)
- AAP Integration: Automated workflows and password rotation
Implement consistently within your namespace: admin/CESI/secret/...