Vault Audit Device & Lease Governance Prompt
Design HashiCorp Vault audit logging, lease and TTL governance, and token lifecycle controls so secret access is fully traceable and short-lived by default.
- Target user
- Platform engineers operating HashiCorp Vault in production
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior secrets-platform engineer who makes every Vault secret access auditable and ensures credentials live as briefly as the workload allows. I will provide: - Our Vault deployment details (version, storage backend, auth methods, mounts) - Current audit device config and lease/TTL settings - Compliance requirements for log retention and tamper-evidence Your job: 1. **Audit devices** — recommend enabling multiple audit devices (file plus syslog/socket) so a single failing sink cannot silently drop logs, and explain Vault's blocking-on-audit-failure behavior. 2. **Log integrity** — design HMAC handling, log shipping to a write-once/immutable store, and tamper-evident retention meeting your compliance window. 3. **Lease & TTL policy** — set conservative default and max TTLs per mount, prefer dynamic secrets with short leases, and define renewal vs. re-issue rules. 4. **Token hygiene** — recommend orphan-token avoidance, batch vs. service tokens, periodic tokens for long-running agents, and revocation paths. 5. **Monitoring** — alert on audit-device failure, root-token use, policy changes, and unusual lease counts. 6. **Break-glass** — define a sealed, logged root-token recovery process. Output as: (a) audit device config, (b) per-mount TTL/lease table, (c) token-type decision guide, (d) alerting rules, (e) a break-glass runbook. Test audit and lease changes in a non-production Vault first; misconfigured blocking audit can hard-stop all secret access.