Implementing Secrets Management Safely in CI/CD using HashiCorp Vault
Designed for DevOps engineers and security-focused software developers responsible for designing, maintaining, and scaling CI/CD pipelines in regulated industries (e.g., fintech, healthcare, enterprise SaaS). to spark real collaboration and high-energy learning.
A 90-minute hybrid workshop session where participants are actively deploying software and managing infrastructure in cloud and on-prem environments. Pain points include: persistent leakage of credentials in logs/source, confusion over Vault policy granularity, and unclear handoff between DevOps and security teams. Session combines interactive demos, peer discussion, and live scenario solving.
Vault Access Mystery Box
Kick things off by showing a screenshot of a typical CI/CD pipeline—one step is labeled 'Secrets Injection.' Ask: 'What do you think is happening here under the hood? Why might HashiCorp Vault be involved?' Participants jot down quick guesses and share out. Facilitator reveals the surprising mechanics of ephemeral tokens and dynamic secrets, sparking curiosity about how Vault works in practice.
Tap to view the full activity.
Why this works
Curiosity primes learning by inviting participants to speculate, then fills gaps with new insights—especially effective for technical topics where invisible systems matter.
Secrets Leakage Mythbusters
Present three statements about secrets management in CI/CD, mixing two common misconceptions and one correct fact (e.g., 'Vault can prevent all credential leaks in logs', 'Static secrets are safer than dynamic ones', 'Vault policies must be granular'). Have the group vote on which is true using colored cards or online polls, then reveal and explain the answers, correcting misunderstandings.
Tap to view the full activity.
Why this works
Revealing misconceptions is proven to reset prior knowledge and create space for new, accurate understanding.
Safe Secret Pairs Jamboard
On a shared Jamboard or whiteboard, post icons for different pipeline steps (build, test, deploy, rollback). Ask participants: ‘Where should secrets be injected?’ Drag icons to create pairs between steps and secrets. Low pressure—participants can use emojis, lines, or quick notes. Facilitator then shows optimal pairings, highlighting least risky injection points.
Tap to view the full activity.
Why this works
Low-stakes, visual participation lowers anxiety and boosts engagement—especially for complex workflows.
Token Timeout Race
Break the room into teams and give each a quick scenario: ‘Your build just completed. How long should your Vault token live?’ Teams brainstorm and shout out their answers in a timed 90-second countdown, aiming for the lowest secure token lifetime. Facilitator then reveals industry best practice—comparing answers—and explains why short-lived tokens are key.
Tap to view the full activity.
Why this works
Fast-paced group competition energizes the room, encourages bold thinking, and brings abstract security concepts into real decisions.
Breach Dilemma: Who Gets In?
Facilitator presents a real-world dilemma: ‘A junior developer accidentally pushes a CI job config to GitHub with a Vault token inside. What happens next?’ Invite small groups to discuss consequences and propose both technical and procedural fixes. After 3 minutes, share out, comparing strategies and highlighting how Vault’s policy and audit features respond in such incidents.
Tap to view the full activity.
Why this works
Anchoring theory in real dilemmas hooks attention and triggers deeper learning through urgent, practical context.
My Vault Policy Story
Ask participants to reflect: ‘What’s one thing you’d change about your team’s current secrets handling, if you could use Vault tomorrow?’ Invite volunteers to share stories, then guide them to draft a simple Vault policy statement for their scenario—writing it in Slack, sticky notes, or worksheet. Facilitator celebrates each personal connection, reinforcing ownership.
Tap to view the full activity.
Why this works
Personal reflection and storytelling foster deeper learning and transfer, making abstract policy concepts tangible and motivating.
Sign up to unlock 3 more activities
Get the full pack, facilitation flow, and more ready-to-run ideas.