Every application has secrets β database passwords, API keys, TLS certs, encryption keys, third-party tokens. Where you store them determines whether a compromise is contained or catastrophic. This module covers secrets-management patterns for modern cloud applications.
The problem
Secrets historically lived in: environment variables, config files, source code, shared spreadsheets, Slack messages, CI/CD logs. Each is a leak vector. Secrets exposed in any of these = full compromise of whatever they protect.
Where secrets leak
- Git commits β AWS keys in .env files; ~1 in 500 commits to public GitHub leaks a secret
- Docker image layers β secrets via COPY / ENV persist in history even if later removed
- CI/CD logs β echo statements with credentials
- Error messages + stack traces β credentials in connection strings
- Server logs β requests with API keys in query strings
- Lost/stolen laptops β ~/.aws/credentials, config files
- Insider threats β departing employees with credentials in password managers
Managed secret stores β the solution
| Service | Strengths |
|---|---|
| AWS Secrets Manager | Auto-rotation (RDS, Redshift, etc.), versioning, KMS-encrypted, IAM-controlled |
| AWS SSM Parameter Store | Simpler, cheaper; no auto-rotation; good for config + secrets |
| Azure Key Vault | Secrets + keys + certificates; HSM-backed option |
| GCP Secret Manager | Secrets versioning + IAM |
| HashiCorp Vault | Cross-cloud, dynamic secrets (issue DB creds on-demand), multi-engine, self-hosted |
| Doppler / Infisical | Dev-friendly SaaS alternatives |
Core patterns
1. Runtime fetch
Application starts β authenticates to secret store via workload identity (IAM role / Managed Identity / Service Account) β fetches current secret β uses it. Never a secret on disk or in env.
Continue reading with Basic tier (βΉ499/month)
You've read 38% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.