Warning to anyone interested in Vault. Vault policies involve a learning curve. Maybe they have improved documentation and examples since I learned Vault management but I remember how complicated and time consuming it was.
This was the problem I found with Vault too - I ended up as the only person in the company that knew how to use it and therefore it became a burden very quickly. We switched to EnvKey which basically has zero learning curve.
For a small team I wouldn't go there. Except if the product requires a higher level of security and we have no money to spend on the SaaS or self-hosting is a requirement.
FWIW, If you don't require the single-pane management, some scenarios can be simplified by deploying additional individual clusters/instances with separate access rather than controlling only via policy.
Mentioning since I've def seen people get stuck and forget to consider the obvious.