Secrets Management
Practices and tools for securely storing, distributing, and rotating credentials, API keys, and other sensitive data in applications and pipelines.
What it is
Secrets management is the practice of managing sensitive data (passwords, API keys, certificates, tokens) securely throughout the application lifecycle. The fundamental principle: secrets should never be in code.
Anti-patterns
- Hardcoded secrets in source code
- Secrets in unencrypted environment variables
- Secrets shared via Slack/email
- Single secret shared across all environments
Tools
| Tool | Type |
|---|---|
| AWS Secrets Manager | Managed, automatic rotation |
| AWS SSM Parameter Store | Managed, simpler |
| HashiCorp Vault | Self-hosted, very complete |
| 1Password/Doppler | SaaS, developer-friendly |
| SOPS | File encryption in Git |
Best practices
- Automatic secret rotation
- Principle of least privilege
- Secret access auditing
- Different secrets per environment
- Secret detection in code (GitLeaks, TruffleHog)
Why it matters
Hardcoded secrets in code or environment variables are one of the most common causes of security breaches. A centralized secrets management system — with automatic rotation, auditing, and role-based access — is basic security infrastructure.
References
- AWS Secrets Manager — Official documentation.
- HashiCorp Vault — HashiCorp, 2024. Leading secrets management solution.
- Secrets Manager Best Practices — AWS, 2024. Official best practices.
Related content
- Platform Engineering
Discipline designing and building internal self-service platforms so development teams can deploy and operate applications autonomously.
- AWS IAM
AWS identity and access management service controlling who can do what in your account, with granular policies based on the principle of least privilege.
- PR Auto-Approver
Serverless GitHub App that auto-approves pull requests after CI passes, with optional AI code review via Amazon Bedrock. Five repositories: TypeScript/Probot app, AWS Terraform module (Lambda + API Gateway + Secrets Manager + SQS DLQ), GitHub Terraform module (webhooks), deployment infra, and test repo.