Case Study: Bench Accounting achieves ephemeral database credential security with HashiCorp Vault and Terraform

Bench Accounting Uses Hashicorp Vault's Dynamic Credential Rotation Capabilities To Drastically Mitigate The Potential Damage Of A Data Breach

Bench Accounting, a Vancouver-based SaaS startup, needed a better way to manage database credentials than sharing long-lived passwords across apps, scripts, and teams. Using HashiCorp Vault, along with Terraform, they moved away from static secrets and toward a more secure, role-based approach for storing, reading, and authenticating secrets across AWS, Kubernetes, and SSO workflows.

HashiCorp helped Bench Accounting implement ephemeral database credentials with Vault’s dynamic secrets engine, provisioning temporary access for Postgres and MySQL with SQL grants and TTL-based revocation. The result was a major reduction in credential sprawl and breach risk, improved auditability through Vault logs, and a more controlled access model for engineers and applications, while managing the setup at scale through Terraform.

Bench Accounting

Phil Whelan

Principal Engineer