“We built an AWS Lambda whose sole job is to manage these AppRoles in Vault when a resource is created, updated, or deleted with CloudFormation. Once a Docker container starts up, we set up an ENTRYPOINT script that uses the credentials set by the Lambda function to retrieve a Vault token and access all the app-specific secrets in Vault.”