Your development teams are shipping features faster than ever. Your infrastructure spans multiple clouds. Your security posture looks solid on paper. But lurking beneath this success is a growing operational tax that's silently draining your team's velocity: secret sprawl.
Lino Telera, a platform engineer at Tinexta InfoCert and HashiCorp Ambassador, recently shared his recommendations for transforming secrets management at scale at HashiDays London. Drawing from his experience in highly regulated environments where "security is in our DNA," Telera outlined five critical lessons for technical leaders wrestling with the growing complexity of credential management across multi-cloud deployments.
»1. Replace static API keys with dynamic secrets to reduce blast radius
Most organizations start simple, using client IDs and secrets to authenticate with cloud providers. This works fine initially, but as deployments expand into multi-account and multi-cloud environments, the number of keys explodes. Each new environment, each integration tool, each automation pipeline demands its own set of credentials. Teams find themselves managing an unwieldy sprawl of API keys across different systems, with no clear ownership or rotation strategy.
Telera recommends you handle secrets in a platform, and rather than just storing them, you have an automated rotation schedule or time-to-live set to each one. With HCP Terraform, you can automate this process in a very ephemeral, secure way with dynamic provider credentials, which authenticate single provisioning runs using federation between HashiCorp Cloud Platform and cloud providers like AWS. The key only exists for a few minutes, unless modified. A new key is easily generated by this automated setup the next time a run is triggered.
This eliminates the need to store and rotate static credentials while solving both authentication and authorization in a single step. Teams can deploy across multiple environments without credential management becoming a bottleneck.
»2. Automate runtime secret management to remove manual error
Beyond static API keys lies an even trickier problem: secrets generated during infrastructure deployment. Database passwords, Kubernetes cluster credentials, and EC2 SSH keys are all created dynamically during infrastructure provisioning. These runtime secrets need to be created and injected into applications at run time, but traditional approaches often leave them scattered or manually managed. This creates a chicken-and-egg problem: applications need these secrets to function, but the secrets don't exist until after infrastructure is deployed.
Telera's recommended approach integrates HashiCorp Vault with HCP Terraform, using Vault-backed dynamic credentials to automatically capture and distribute runtime secrets. When infrastructure creates new credentials, they're immediately stored in Vault and synchronized in Terraform. This approach makes runtime secret management fully automated, allowing teams to provision infrastructure and applications in sequence without manual secret handling, reducing deployment time and eliminating a major source of human error.
»3. Implement workspace sandboxing for zero trust boundaries
Implementing zero trust principles sounds straightforward until you're dealing with multiple teams, environments, and cloud accounts. How do you ensure that each team has exactly the permissions they need — nothing more, nothing less, and only in the timeframe they need it — while maintaining operational efficiency? Traditional approaches often default to either overly broad permissions (risky) or overly restrictive access (slow).
Telera advocates for what he calls "sandboxing": Binding each Terraform workspace to specific IAM roles with clearly defined boundaries. This creates a controlled environment where teams can operate autonomously within their designated scope. "You can bind a workspace with a particular role and find the boundaries where a particular team can deliver infrastructure," he explains. This approach gives teams the autonomy to deploy infrastructure within their defined boundaries without requiring manual approvals for every change. Security improves through reduced blast radius, while operational velocity increases through clear, automated guardrails.
»4. Centralize infrastructure templates for consistent security
As engineering teams grow, maintaining consistency across infrastructure deployments becomes increasingly difficult. Different teams often develop their own approaches, leading to configuration drift, security gaps, and knowledge silos. Without standardized patterns, each new team essentially reinvents the wheel, building their own authentication flows and secret management approaches with varying levels of security sophistication.
Telera recommends centralizing infrastructure templates and authentication methodologies through HashiCorp Cloud Platform. Creating reusable modules that encapsulate security best practices makes it easy for teams to deploy infrastructure correctly by default. This approach enables new teams to onboard faster using proven patterns, while security and compliance become embedded in the development workflow rather than bolted on afterward. The result reduces the platform team's support burden while improving consistency across environments.
»5. Use bootstrap templates for rapid secure deployment
Getting started with secure infrastructure often requires significant upfront investment in tooling and processes. Teams face a choice between moving fast with poor security practices or moving slowly with proper controls. This creates a false dichotomy that forces organizations to trade velocity for security—a trade-off that becomes increasingly unsustainable as both speed and security requirements intensify.
Telera advocates for an approach that sets up secure workspaces with a single deployment — the bootstrap deployment i.e. the first deployment. He's shared open source templates on GitHub that allow teams to clone, configure variables, and run terraform apply to create fully configured workspaces with proper authentication and authorization. This approach enables new projects to start with enterprise-grade security patterns from day one. The barrier to implementing proper secrets management drops from weeks of setup to minutes of configuration.
»Key takeaways for technical leaders
Telera's recommendations demonstrate that secrets management is a critical security risk reduction capability, and it's also a productivity multiplier. An organization’s goal should be to use secrets management as part of a larger, unified infrastructure platform that enables rather than constrains development velocity.
Strategic benefits of systematic secrets management:
- Reduced operational overhead: Dynamic authentication eliminates the ongoing burden of key rotation, storage, and distribution across multiple environments
- Faster team onboarding: Bootstrap templates and centralized patterns enable new teams to start with security best practices instead of building from scratch
- Improved developer autonomy: Sandbox boundaries give teams clear permissions to operate independently while maintaining security guardrails
- Scalable culture: Standardized templates and self-service capabilities reduce platform team bottlenecks while ensuring consistency
The lesson for technical leaders is clear: the operational tax of secret sprawl compounds over time. Addressing sprawl with a secrets automation platform doesn't just improve security, it unlocks engineering productivity at scale.
HashiCorp products are built to work together to provide a larger transformational strategy for enterprises. If your organization is interested in a more modern, holistic approach to security, governance, and compliance, share our solution brief with your colleagues: Securing and governing hybrid and multi-cloud at scale.
*Watch Telera’s full demo (and follow along in his GitHub repo) here: *
