Secret Management

Your app needs a Postgres password, an AWS access key, a Stripe API key, a Twilio token, an OAuth client secret. Where do they live?

• In code? Ends up in git history. Public repos leak credentials by the thousands every week.
• In env vars? Better, but environment files often committed accidentally; ps -ef shows env on Linux; container logs can leak.
• In a config file? Pasted around in Slack, copied to laptops, hard to rotate.

Secret management is the discipline of storing, distributing, and rotating credentials so that none of those bad outcomes happen. Plus dynamic secrets, audit logs, and short-lived tokens. Vault, AWS KMS+Secrets Manager, Doppler — the modern table stakes.

• Encrypted-at-rest storage. Secrets stored encrypted using a master key (rooted in HSM or cloud KMS).
• Authenticated retrieval. Apps fetch via API; access policies enforce who/what can read which secret.
• Audit log. Every read is logged. Compliance + incident response.
• Rotation. Programmatic password change — generate new secret, update database, distribute to apps. Rotate every 30-90 days routinely; immediately on suspected compromise.
• Dynamic secrets. Generate per-request short-lived credentials (5-minute DB password). If leaked, they expire quickly. Vault's killer feature.
• Workload identity. Apps prove who they are via cloud identity (IAM role, K8s ServiceAccount) — no chicken-and-egg problem of "what credential gets you the credential?"

"How does my app prove to Vault who it is?" Naive: give the app a Vault token in env var. But that token is itself a secret — same problem you started with.

Modern answer: workload identity. The infrastructure already knows who the app is:

• EC2 / ECS / Lambda — IAM role attached to the compute resource. Apps call AWS metadata service to get a temporary token, signed by AWS, proving "I am role X."
• Kubernetes — each pod has a ServiceAccount. Token mounted into pod filesystem, refreshed automatically. Vault validates the token with K8s API, then issues secrets.
• SPIFFE / SPIRE — cross-platform standard. Each workload gets an X.509 cert tied to its identity; vault accepts the cert as auth.

Result: no app stores any long-lived credential. App identity flows from the platform → vault → DB credentials → DB. Rotation is automatic. Compromise of one app does not give the attacker any other app's secrets.

• Logging secrets. Apps log full request bodies; tokens end up in log aggregator. Strip credentials at log emission, not later.
• Stack traces. Exceptions sometimes include connection strings. Sanitize.
• Error messages. "Invalid auth: token=abc123..." in API responses. Never echo the token back.
• Secrets in URLs. Tokens in query strings appear in browser history, server access logs, referer headers. Always use Authorization headers.
• Forgotten rotation. Manual rotation never happens. Automate via vault rotation hooks; alert if any secret is older than policy.

Payment gateway uses Vault for all PSP credentials with mandatory rotation. E-commerce manages OAuth secrets per merchant integration. WhatsApp's media servers fetch encryption keys per request from a secret service.