Secrets Management
Practices and tools for securely storing, distributing, and rotating credentials, API keys, and other sensitive data in applications and pipelines.
seed#secrets#security#vault#ssm#credentials#encryption
What it is
Secrets management is the practice of managing sensitive data (passwords, API keys, certificates, tokens) securely throughout the application lifecycle. The fundamental principle: secrets should never be in code.
Anti-patterns
- Hardcoded secrets in source code
- Secrets in unencrypted environment variables
- Secrets shared via Slack/email
- Single secret shared across all environments
Tools
| Tool | Type |
|---|---|
| AWS Secrets Manager | Managed, automatic rotation |
| AWS SSM Parameter Store | Managed, simpler |
| HashiCorp Vault | Self-hosted, very complete |
| 1Password/Doppler | SaaS, developer-friendly |
| SOPS | File encryption in Git |
Best practices
- Automatic secret rotation
- Principle of least privilege
- Secret access auditing
- Different secrets per environment
- Secret detection in code (GitLeaks, TruffleHog)
Why it matters
Hardcoded secrets in code or environment variables are one of the most common causes of security breaches. A centralized secrets management system — with automatic rotation, auditing, and role-based access — is basic security infrastructure.
References
- AWS Secrets Manager — Official documentation.
- HashiCorp Vault — HashiCorp, 2024. Leading secrets management solution.
- Secrets Manager Best Practices — AWS, 2024. Official best practices.