Back to Blog

Secrets Management in 2025: Vault, AWS Secrets Manager, and Beyond

Oct 26, 2025
secretsvaultawskms
0

Secrets must be short‑lived, discoverable, and well‑governed. This guide shows reference patterns and guardrails.

Core patterns

  • Central store (Vault/SM) + KMS envelopes
  • Dynamic creds (DB, cloud) with TTL; auto-rotation
  • App auth via OIDC/JWT; no static tokens in code

Developer workflows

  • Local dev: ephemeral secrets via CLI login; env injection at runtime
  • CI: OIDC to cloud; fetch time‑bound creds; no stored secrets

Detection

  • Pre‑commit and repo scanners; revoke on detection; honeytokens

Example (Vault JWT auth)

vault write auth/jwt/config jwks_url=https://... bound_issuer=https://...

FAQ

Q: Are environment variables safe?
A: Acceptable for short‑lived runtime injection; avoid storing long‑term secrets in env or files.

Related posts