{"id":76330,"date":"2019-04-04T09:00:17","date_gmt":"2019-04-04T16:00:17","guid":{"rendered":""},"modified":"2025-06-27T09:27:00","modified_gmt":"2025-06-27T16:27:00","slug":"tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure","status":"publish","type":"post","link":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/","title":{"rendered":"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"what-is-a-secret\">What is a secret<\/h2>\n\n\n\n<p>In this blog, we will show you how <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fwww.vaultproject.io&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725638676&amp;sdata=G7h5QRVXx5%2Bx3r7iKmyRfVW0LNW4vZBSsPTbSvgo4V4%3D&amp;reserved=0\">HashiCorp Vault<\/a> can help you manage and eliminate secrets sprawl in Azure and your broader organization in general. Before we dive into defining what secret sprawl is, however, it\u2019s good to understand what we define as a secret. A secret is usually one of two things:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anything that authenticates a person or program to a protected system (usually a string of UTF-8 characters).<\/li>\n\n\n\n<li>An encryption key or key pair which provides a means to encrypt\/decrypt data.<\/li>\n<\/ul>\n\n\n\n<p>Some examples of secrets include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username &amp; password<\/li>\n\n\n\n<li>Keypad pin sequence<\/li>\n\n\n\n<li>TLS Certificates<\/li>\n\n\n\n<li>API Tokens<\/li>\n\n\n\n<li>Symmetric encryption keys<\/li>\n<\/ul>\n\n\n\n<p>Some would argue that data contained in protected systems or stored encrypted in a data store are also secrets, but access and encryption methods are upstream from this data and are simpler to store and manage.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-secrets-sprawl\">What is secrets sprawl?<\/h2>\n\n\n\n<p>Using this definition of a secret, secrets sprawl is the surface area on which an organization\u2019s secrets are stored and the volume of these secrets stored on this surface area. It is still common for secrets to be stored in plain text in a variety of different places such as in files on people\u2019s computers, in version control systems like Azure DevOps or Github, in configuration management platforms like Chef, Puppet or Ansible or embedded in CI\/CD pipelines like CircleCI or Jenkins. It also isn\u2019t uncommon to find secrets on the occasional <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Famp.businessinsider.com%2Fimages%2F5a5e41e728eecc420c8b4fcb-750-375.jpg&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725638676&amp;sdata=CrP6CUKQZGoD5gLfRI0ZM6LEKcsLqSBGUkx99ef5BHw%3D&amp;reserved=0\">sticky note<\/a> or piece of paper taped onto the bottom of a keyboard. If you read news headlines regularly, you will sometimes hear about cases of plain text secret storage at all manner or organizations (e.g., <a href=\"https:\/\/krebsonsecurity.com\/2019\/03\/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years\/\">Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years \u2014 Krebs on Security<\/a>).<\/p>\n\n\n\n<p>As operators and developers get more sophisticated, they have turned to better secret storage techniques like encrypted drives, using Gnu Privacy Guard (GPG) keys or Cloud Key Management Service (KMS) keys to encrypt\/decrypt files. These methods are more secure, but they still often lead to secrets sprawl if not managed properly.<\/p>\n\n\n\n<p>As secrets sprawl out across your organization, it\u2019s difficult to answer questions like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Where are all my secrets?<\/li>\n\n\n\n<li>Who is accessing them and when?<\/li>\n\n\n\n<li>Are they still there? When did they get there? Have they changed? When were they removed?<\/li>\n\n\n\n<li>How do I rotate all of these secrets to match security policies?<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-hashicorp-vault-manages-secrets\">How HashiCorp Vault manages secrets<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.vaultproject.io\">HashiCorp Vault<\/a> is a highly scalable, highly available, environment agnostic way to generate, manage, and store secrets. It encrypts data using the Advanced Encryption Standard (AES) using 256 bits in Galois\/Counter Mode (GCM). This means it is both highly secure and highly performant.<\/p>\n\n\n\n<p>Once data is encrypted it is stored on a variety of storage backends such as <a href=\"https:\/\/www.consul.io\">HashiCorp Consul<\/a> (most recommended), Azure Storage Container and a number of other databases and datastores. Check the <a href=\"https:\/\/www.vaultproject.io\/docs\/configuration\/storage\/index.html\">Storage Backends &#8211; Configuration document<\/a> for in-depth information on specific backends and high availability support.<\/p>\n\n\n\n<p>Here are some of the features of Vault which enable a stronger workflow for controlling access to sensitive data and secrets.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"authentication-methods\">Authentication methods<\/h3>\n\n\n\n<p>Vault offers flexible authentication methods which allow users to access Vault using trusted sources of identity. Users leverage tools like <a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/ldap.html\">LDAP<\/a>, <a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/github.html\">GitHub Tokens<\/a> or <a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/userpass.html\">Username &amp; Password<\/a>.<\/p>\n\n\n\n<p>For machines and applications, Vault supports flexible methods like <a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/azure.html\">Azure Active Directory\/MSI<\/a>, <a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/kubernetes.html\">Kubernetes JWT<\/a>, <a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/cert.html\">TLS Certificates<\/a> and <a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/approle.html\">Vault\u2019s AppRole method<\/a>. Regardless of authentication method chosen, users or applications will be granted a Vault Token.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"policies\">Policies<\/h3>\n\n\n\n<p>Vault Tokens are scoped using <a href=\"https:\/\/www.vaultproject.io\/docs\/concepts\/policies.html\">policies<\/a>. Policies authorize a user or application to access specific paths within Vault. Paths are created on a Radix tree for highly performant lookups of secrets and mapping of policies. Authentication methods, secret engines and administrative functions are mapped to paths making it simple to define authorization to all of Vault through one mechanism. The default action for a policy is to deny access until paths are whitelisted. There are wildcard functions making it easier to allow access to certain path structures.<\/p>\n\n\n\n<p>Let\u2019s look at an example policy granting access to both secret engine path (kv) and management endpoints.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n# List, create, update, and delete key\/value secrets\npath \"kv\/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n \n# Manage secret engines broadly across Vault\npath \"sys\/mounts\/*\"\n{\n  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n \n# List existing secret engines\npath \"sys\/mounts\"\n{\n  capabilities = [\"read\"]\n}\n\n<\/pre><\/div>\n\n\n<p>Leveraging Vault policies helps organizations trust that users and applications only have access to credentials that they are approved for.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"secret-engines\">Secret Engines<\/h3>\n\n\n\n<p>Vault offers a wide array of <a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/index.html\">Secrets Engines<\/a> that go far beyond just basic K\/V management. Vault Secrets Engines can manage dynamic secrets on certain technologies like <a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/azure\/index.html\">Azure Service Principles<\/a> and <a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/databases\/index.html\">Databases and Datastores<\/a>. These secrets are both time and access bound, which often eliminates the need to rotate secrets. Dynamic secrets help reduce the blast damage of any leaked secrets or compromised systems because every authenticated entity will have a unique set of credentials.<\/p>\n\n\n\n<p>Vault can also be used to generate and deploy <a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/pki\/index.html\">PKI Certificates<\/a> and <a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/ssh\/signed-ssh-certificates.html\">Signed SSH Certificates<\/a>.<\/p>\n\n\n\n<p>Lastly, Vault provides Encryption as a Service via the <a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/transit\/index.html\">Transit Engine<\/a>. This alleviates the need to integrate complex encryption libraries into application code. Payloads, for example a JSON file, can be sent to Vault and are then encrypted to be stored at rest. When retrieved, Vault will decrypted them and display it to applications on the fly. Because keys are versioned, it\u2019s easy to roll re-encryption of data as necessary for regulatory purposes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"vault-and-azure-specific-integrations\">Vault and Azure-specific integrations<\/h2>\n\n\n\n<p>Azure users can leverage all of these Vault features to automate their secrets management and retrieval through Azure specific integrations. First and foremost Vault can be <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fwww.vaultproject.io%2Fdocs%2Fconfiguration%2Fseal%2Fazurekeyvault.html&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725738737&amp;sdata=SHPutNyyaR2e8aAYJ1TIxYrT%2F3eXSjpJxIs1xAVm2QI%3D&amp;reserved=0\">automatically unsealed<\/a> using KMS keys from Azure Key Vault. Next, <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fwww.vaultproject.io%2Fdocs%2Fauth%2Fazure.html&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725748747&amp;sdata=XdDo%2FyYTQ6xb%2FVUavtL74ta6NfuYPLzObJ2MmGvhKSg%3D&amp;reserved=0\">MSI credentials<\/a> can be used to authenticate systems and applications preventing the need to distribute initial access credentials. Lastly, Vault can dynamically generate <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fwww.vaultproject.io%2Fdocs%2Fsecrets%2Fazure%2Findex.html&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725748747&amp;sdata=luHjOYwg3lumiZddsvCZL8jTwd61CFoT42HRPMRXnJM%3D&amp;reserved=0\">Azure Service Principals and role assignments<\/a>. This allows users and applications off-cloud an easy method for generating flexible time and permission bound access into Azure APIs.<\/p>\n\n\n\n<p>More information on HashiCorp Vault and Azure integrations can be found on the <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fwww.hashicorp.com%2Fintegrations%2Fmicrosoft&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725758751&amp;sdata=7kSkdzwpiVen4jKObuLeh36AtuSyCnDKkVU4qvNSgJM%3D&amp;reserved=0\">Hashicorp\/Azure Integrations<\/a> page.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-get-started\">How to get started<\/h2>\n\n\n\n<p>If you would like a quick way of testing out Vault in Azure, this <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fgithub.com%2Fgrove-mountain%2Fhc-demos%2Ftree%2Fmaster%2Fvault%2Fazure_secret_sprawl_webinar&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725758751&amp;sdata=Dv3oNMJ3Zw13CejheupoTwzTyy0erlSv001zSi%2FC69g%3D&amp;reserved=0\">GitHub repo<\/a> contains all the code to create a Vault environment in Azure including all instructions on how to obtain Terraform, run it, connect to your Azure instance and run the Vault commands. This is a great way to learn the concepts covered here with a low barrier to entry.<\/p>\n\n\n\n<p>For more a more extensive, curated approach to learning Vault, HashiCorp offers an extensive <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Flearn.hashicorp.com%2Fvault%2F&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725768761&amp;sdata=cEWprSpJ7lSLvxzQFj94jr%2BHnfijK%2BHWCcgEYOwhS8c%3D&amp;reserved=0\">curriculum<\/a> in the <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Flearn.hashicorp.com%2F&amp;data=02%7C01%7Cv-crwrig%40microsoft.com%7Cb3f081ff7db34be4a8fe08d6b915d052%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636899900725768761&amp;sdata=fM6jHCYXBqICpZQuohTeGGNEQQ3GMZC49TqvnHUyq94%3D&amp;reserved=0\">HashiCorp Learn<\/a> site. Here you can learn everything from basic system setup and secrets management to advanced topics like distributed architectures and entity management.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"additional-resources\">Additional Resources<\/h2>\n\n\n\n<p>To see demonstrations of some of the integrations mentioned earlier, watch the webinar that inspired this blog post:&nbsp;<a href=\"https:\/\/info.microsoft.com\/ww-ondemand-understanding-and-eliminating-secret-sprawl-using-HashiCorp-vault.html?lcid=en-us\">Understanding and Eliminating Secret Sprawl Using HashiCorp Vault<\/a>.<\/p>\n\n\n\n<p>&nbsp;<\/p>\n\n\n\n<p><em>Questions or feedback? Let us know in the comments below.&nbsp;<\/em><\/p>\n\n\n\n<p><em>Follow Jake <a href=\"https:\/\/twitter.com\/JakeLundberg\">@JakeLundberg<\/a>.&nbsp;<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is a secret In this blog, we will show you how HashiCorp Vault can help you manage and eliminate secrets sprawl in Azure and your broader organization in general. Before we dive into defining what secret sprawl is, however, it\u2019s good to understand what we define as a secret.<\/p>\n","protected":false},"author":5562,"featured_media":76462,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[2271,141],"content-type":[340],"topic":[2241,2244,2245],"programming-languages":[],"coauthors":[550],"class_list":["post-76330","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-community-partners","tag-hashicorp","content-type-tutorials-and-demos","topic-cloud","topic-devops","topic-infrastructure","review-flag-1593580428-734","review-flag-1593580415-931","review-flag-8-1593580468-572","review-flag-integ-1593580288-449","review-flag-lever-1593580265-989"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault | Microsoft Open Source Blog<\/title>\n<meta name=\"description\" content=\"HashiCorp Vault is a highly scalable, highly available, environment agnostic way to generate, manage, and store secrets. Learn how it manages &quot;secret sprawl&quot; in this blog post.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault | Microsoft Open Source Blog\" \/>\n<meta property=\"og:description\" content=\"HashiCorp Vault is a highly scalable, highly available, environment agnostic way to generate, manage, and store secrets. Learn how it manages &quot;secret sprawl&quot; in this blog post.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Open Source Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-04-04T16:00:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-27T16:27:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png\" \/>\n\t<meta property=\"og:image:width\" content=\"899\" \/>\n\t<meta property=\"og:image:height\" content=\"418\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jake Lundberg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor_TW.png\" \/>\n<meta name=\"twitter:creator\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:site\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jake Lundberg\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/\"},\"author\":[{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/author\/jake-lundberg\/\",\"@type\":\"Person\",\"@name\":\"Jake Lundberg\"}],\"headline\":\"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault\",\"datePublished\":\"2019-04-04T16:00:17+00:00\",\"dateModified\":\"2025-06-27T16:27:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/\"},\"wordCount\":1148,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png\",\"keywords\":[\"Community\/partners\",\"HashiCorp\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/\",\"name\":\"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault | Microsoft Open Source Blog\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png\",\"datePublished\":\"2019-04-04T16:00:17+00:00\",\"dateModified\":\"2025-06-27T16:27:00+00:00\",\"description\":\"HashiCorp Vault is a highly scalable, highly available, environment agnostic way to generate, manage, and store secrets. Learn how it manages \\\"secret sprawl\\\" in this blog post.\",\"breadcrumb\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png\",\"width\":899,\"height\":418,\"caption\":\"a close up of a logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/opensource.microsoft.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"name\":\"Microsoft Open Source Blog\",\"description\":\"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability\",\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\",\"name\":\"Microsoft Open Source Blog\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"width\":259,\"height\":194,\"caption\":\"Microsoft Open Source Blog\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/OpenAtMicrosoft\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault | Microsoft Open Source Blog","description":"HashiCorp Vault is a highly scalable, highly available, environment agnostic way to generate, manage, and store secrets. Learn how it manages \"secret sprawl\" in this blog post.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/","og_locale":"en_US","og_type":"article","og_title":"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault | Microsoft Open Source Blog","og_description":"HashiCorp Vault is a highly scalable, highly available, environment agnostic way to generate, manage, and store secrets. Learn how it manages \"secret sprawl\" in this blog post.","og_url":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/","og_site_name":"Microsoft Open Source Blog","article_published_time":"2019-04-04T16:00:17+00:00","article_modified_time":"2025-06-27T16:27:00+00:00","og_image":[{"width":899,"height":418,"url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png","type":"image\/png"}],"author":"Jake Lundberg","twitter_card":"summary_large_image","twitter_image":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor_TW.png","twitter_creator":"@OpenAtMicrosoft","twitter_site":"@OpenAtMicrosoft","twitter_misc":{"Written by":"Jake Lundberg","Est. reading time":"5 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#article","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/"},"author":[{"@id":"https:\/\/opensource.microsoft.com\/blog\/author\/jake-lundberg\/","@type":"Person","@name":"Jake Lundberg"}],"headline":"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault","datePublished":"2019-04-04T16:00:17+00:00","dateModified":"2025-06-27T16:27:00+00:00","mainEntityOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/"},"wordCount":1148,"commentCount":0,"publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png","keywords":["Community\/partners","HashiCorp"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/","url":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/","name":"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault | Microsoft Open Source Blog","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png","datePublished":"2019-04-04T16:00:17+00:00","dateModified":"2025-06-27T16:27:00+00:00","description":"HashiCorp Vault is a highly scalable, highly available, environment agnostic way to generate, manage, and store secrets. Learn how it manages \"secret sprawl\" in this blog post.","breadcrumb":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#primaryimage","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/04\/Vault_PrimaryLogo_FullColor.png","width":899,"height":418,"caption":"a close up of a logo"},{"@type":"BreadcrumbList","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/04\/04\/tutorial-identify-eliminate-secrets-sprawl-hashicorp-vault-azure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/opensource.microsoft.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to identify and eliminate secrets sprawl on Azure with HashiCorp Vault"}]},{"@type":"WebSite","@id":"https:\/\/opensource.microsoft.com\/blog\/#website","url":"https:\/\/opensource.microsoft.com\/blog\/","name":"Microsoft Open Source Blog","description":"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability","publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/opensource.microsoft.com\/blog\/#organization","name":"Microsoft Open Source Blog","url":"https:\/\/opensource.microsoft.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":259,"height":194,"caption":"Microsoft Open Source Blog"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/OpenAtMicrosoft"]}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Open Source Blog","distributor_original_site_url":"https:\/\/opensource.microsoft.com\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/76330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/users\/5562"}],"replies":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=76330"}],"version-history":[{"count":1,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/76330\/revisions"}],"predecessor-version":[{"id":97782,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/76330\/revisions\/97782"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media\/76462"}],"wp:attachment":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=76330"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/post_tag?post=76330"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/content-type?post=76330"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/topic?post=76330"},{"taxonomy":"programming-languages","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/programming-languages?post=76330"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/coauthors?post=76330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}