feat(kb): introduce secrets management

2026-02-08 21:34:25 +00:00 · 2025-08-02 22:47:51 +02:00
parent 5a30a80597
commit 1f2259ad91
10 changed files with 340 additions and 63 deletions
--- a/computing/aws/README.md
+++ b/computing/aws/README.md
@@ -227,6 +227,7 @@ One can can rapidly remapping addresses to other instances in one's account and
 | [Route53]                     | DNS                                           |
 | [S3]                          | Storage                                       |
 | [Sagemaker]                   | Machine learning                              |
 | [Secrets Manager]             | Secrets management                            |
 | [Security Hub]                | Aggregator for security findings              |
 | [SNS]                         | Pub/sub message delivery                      |
 | [SQS]                         | Queues                                        |
@@ -895,6 +896,7 @@ machine if not.
 [route53]: route53.md
 [s3]: s3.md
 [sagemaker]: sagemaker.md
 [secrets manager]: secrets%20manager.md
 [sns]: sns.md
 [sqs]: sqs.md
--- a/computing/aws/secrets
+++ b/computing/aws/secrets
@@ -0,0 +1,74 @@
 # AWS Secrets Manager
 AWS' native secrets management service.
 1. [TL;DR](#tldr)
 1. [Further readings](#further-readings)
   1. [Sources](#sources)
 ## TL;DR
 Provides integration with the AWS ecosystem and has automatic rotation capabilities specifically designed for AWS
 services.
 Offers precise access control to each secret via fine-grained IAM permissions with resource-based policies.<br/>
 Supports VPC endpoints to enables private network access without the need for Internet routing. Optimal for air-gapped
 or highly secure environments.<br/>
 Critical secrets can be replicated cross-region.
 Costs $0.40 per secret per month, plus $0.05 per 10,000 API calls.<br/>
 Secrets that are marked for deletion are not paid for.
 Secrets Manager uses keys from KMS to encrypt the secrets it manages.<br/>
 On first use, Secrets Manager creates the AWS-managed key `aws/secretsmanager` to encrypt the secrets given to it. There
 is **no** cost for using this key.<br/>
 When _automatic_ rotation is turned on for a secret, Secrets Manager uses a Lambda function to rotate it. The use of the
 Lambda function is charged at the current Lambda rate.
 The rotation function is **not** called for secrets using _managed_ rotation.
 Logs of the API calls that Secrets Manager sends out are sent to CloudTrail, if it is enabled. Costs for CloudTrail are
 **in addition** to the ones incurred by using Secrets Manager.
 ```sh
 aws secretsmanager create-secret --name 'TestSecretFromFile' --secret-string 'file://gcp_credentials.json'
 aws secretsmanager create-secret \
  --name 'MyTestSecret' --description 'A test secret created with the CLI.' \
  --secret-string '{"user":"diego","password":"EXAMPLE-PASSWORD"}' \
  --tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'
 ```
 Secrets can be any text or binary up to 65536 bytes (64KB).<br/>
 Should one want to automatically rotate them, they must contain the specific JSON fields that the rotation function
 expects. Refer the [JSON structure of AWS Secrets Manager secrets].
 Secret have versions that hold copies of their encrypted value.<br/>
 When changing the secret value, or when the secret is rotated, Secrets Manager creates a new version and serves that by
 default. The old version is kept (up to a point), but not accessed unless specifically requested.
 One can access a secret across multiple Regions by replicating it.<br/>
 When replicating a secret, Secrets Manager creates a copy of the original (A.K.A. _primary_) secret. That copy is known
 as a _replica_ secret.<br/>
 The replica secret remains linked to the primary secret, and is updated when a new version of the primary is created.
 Secrets Manager uses [IAM] to allow only authorized users to access or modify a secret.
 _Managed_ secrets are created and managed by the AWS service that created them.<br/>
 The managing service might also restrict users from updating secrets, or deleting them without a recovery period.<br/>
 Managed secrets use a naming convention that includes the ID of the service managing them.
 ## Further readings
 ### Sources
 <!--
  Reference
  ═╬═Time══
  -->
 <!-- In-article sections -->
 <!-- Knowledge base -->
 [IAM]: iam.md
 <!-- Upstream -->
 <!-- Others -->
 [JSON structure of AWS Secrets Manager secrets]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html
--- a/base/grafana.md
+++ b/base/grafana.md
@@ -337,7 +337,7 @@ All the references in the [further readings] section, plus the following:
 [further readings]: #further-readings
 <!-- Knowledge base -->
-[Hashicorp Vault]: vault.md
+[HashiCorp Vault]: hashicorp%20vault.md
 [loki]: loki.md
 [prometheus]: prometheus/README.md
--- a/base/hashicorp
+++ b/base/hashicorp
@@ -1,6 +1,4 @@
-# Hashicorp Vault
+# HashiCorp Vault
 ## Table of contents <!-- omit in toc -->
 1. [TL;DR](#tldr)
 1. [Further readings](#further-readings)
@@ -38,11 +36,16 @@ vault read -format 'json' 'secret/data/demo-app/config'
 ## Further readings
- [HashiCorp Vault]
+- [Website]
 - [Secrets management]
 <!--
-  References
+  Reference
  ═╬═Time══
  -->
 <!-- Knowledge base -->
 [Secrets management]: secrets%20management.md
 <!-- Upstream -->
-[hashicorp vault]: https://www.vaultproject.io/
+[Website]: https://www.vaultproject.io/
--- a/base/infisical.md
+++ b/base/infisical.md
@@ -0,0 +1,72 @@
 # Infisical
 Open-source platform for [secrets management], PKI, and SSH access.<br/>
 Centralizes application configuration, secrets and credentials management, and PKI management.
 1. [TL;DR](#tldr)
 1. [Further readings](#further-readings)
   1. [Sources](#sources)
 ## TL;DR
 _Identities_ are user or machine accounts. Each of them gets assigned sets of roles and permissions.<br/>
 They can manage secrets in _clients_ after whey verified themselves through authentication.
 _Clients_ are Infisical-developed tools for managing secrets in various infrastructure components.
 <!-- Uncomment if used
 <details>
  <summary>Setup</summary>
 ```sh
 ```
 </details>
 -->
 <!-- Uncomment if used
 <details>
  <summary>Usage</summary>
 ```sh
 ```
 </details>
 -->
 <!-- Uncomment if used
 <details>
  <summary>Real world use cases</summary>
 ```sh
 ```
 </details>
 -->
 ## Further readings
 - [Website]
 - [Codebase]
 - [Secrets management]
 ### Sources
 - [Documentation]
 <!--
  Reference
  ═╬═Time══
  -->
 <!-- In-article sections -->
 <!-- Knowledge base -->
 [Secrets management]: secrets%20management.md
 <!-- Files -->
 <!-- Upstream -->
 [codebase]: https://github.com/Infisical/infisical
 [documentation]: https://infisical.com/docs
 [website]: https://infisical.com/
 <!-- Others -->
--- a/base/jargon.md
+++ b/base/jargon.md
@@ -69,6 +69,7 @@
 | HPC     | High Performance Computing                             | Collections of systems and tools used to achieve a greater processing capacity than the single unit |
 | IaC     | [Infrastructure as Code][iac]                          |                                                                                                     |
 | IC      | Integrated Circuit                                     |                                                                                                     |
 | IDP     | Internal Developer Platform                            |                                                                                                     |
 | IIRC    | If I Remember/Recall Correctly                         |                                                                                                     |
 | IoT     | Internet of Things                                     | Also see [LoRa]                                                                                     |
 | IP      | Internet Protocol                                      |                                                                                                     |
--- a/base/openssl.md
+++ b/base/openssl.md
@@ -125,8 +125,10 @@ $ openssl req -x509 -out 'cert.pem' \
  -newkey 'rsa:4096' -keyout 'key.pem' -days '365' -nodes \
  -subj "/C=NL/ST=Nederlands/L=Amsterdam/O=Mek Net/OU=Org/CN=mek.info"
 Generating a 4096 bit RSA private key
-..............................................................................................................................................................................................................................++
+........................................................................................................................
-...........................................................................................................................................................................++
+......................................................................................................++
 ........................................................................................................................
 ...................................................++
 writing new private key to 'key.pem'
 -----
@@ -220,6 +222,7 @@ See [code 20](#code-20-unable-to-get-local-issuer-certificate).
 - [Verify certificate chain with OpenSSL]
 - [How to put domain correctly in CSR?]
 - [OpenSSL command cheatsheet]
 - [The Only OpenSSL CheatSheet You Will Need!]
 <!--
  Reference
@@ -236,4 +239,5 @@ See [code 20](#code-20-unable-to-get-local-issuer-certificate).
 [openssl commands to check and verify your ssl certificate, key and csr]: https://www.ibm.com/support/pages/openssl-commands-check-and-verify-your-ssl-certificate-key-and-csr
 [openssl unable to verify the first certificate for experian url]: https://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url
 [the most common openssl commands]: https://www.sslshopper.com/article-most-common-openssl-commands.html
 [The Only OpenSSL CheatSheet You Will Need!]: https://www.golinuxcloud.com/openssl-cheatsheet
 [verify certificate chain with openssl]: https://www.itsfullofstars.de/2016/02/verify-certificate-chain-with-openssl/
--- a/base/pulumi.md
+++ b/base/pulumi.md
@@ -1,23 +1,26 @@
 # Pulumi
 1. [TL;DR](#tldr)
-1. [Project](#project)
+1. [Projects](#projects)
-1. [Program](#program)
+1. [Programs](#programs)
   1. [Ignore changes](#ignore-changes)
   1. [Delete before replacing](#delete-before-replacing)
   1. [Assign tags to resources by default](#assign-tags-to-resources-by-default)
   1. [Outputs](#outputs)
   1. [Policy enforcement](#policy-enforcement)
-1. [Stack](#stack)
+1. [Stacks](#stacks)
   1. [Monolith vs micro-stack](#monolith-vs-micro-stack)
-   1. [State](#state)
+   1. [States](#states)
-   1. [Configuration](#configuration)
+   1. [Configurations](#configurations)
-1. [Backend](#backend)
+1. [Backends](#backends)
   1. [Enforce specific backends for projects](#enforce-specific-backends-for-projects)
   1. [Migrate to different backends](#migrate-to-different-backends)
-1. [Compose resources](#compose-resources)
+1. [Composing resources](#composing-resources)
-1. [Import resources](#import-resources)
+1. [Importing resources](#importing-resources)
   1. [Import components and their children](#import-components-and-their-children)
 1. [Pulumi Cloud](#pulumi-cloud)
   1. [ESC](#esc)
   1. [IDP](#idp)
 1. [Troubleshooting](#troubleshooting)
   1. [A project with the same name already exists](#a-project-with-the-same-name-already-exists)
   1. [Assume role with MFA enabled but AssumeRoleTokenProvider session option not set](#assume-role-with-mfa-enabled-but-assumeroletokenprovider-session-option-not-set)
@@ -27,18 +30,18 @@
   1. [Stack init fails due to missing scheme](#stack-init-fails-due-to-missing-scheme)
   1. [Stack init fails due to invalid key identifier](#stack-init-fails-due-to-invalid-key-identifier)
 1. [Further readings](#further-readings)
-   1. [Sources](#sources)
+    1. [Sources](#sources)
 ## TL;DR
-| Concept         | ELI5 summary                                               | Notes                                                                                |
+| Concept             | ELI5 summary                                               | Notes                                                                                |
-| --------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------ |
+| ------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------ |
-| [Project]       | Any folder that contains a `Pulumi.yaml` file              | Collection of code                                                                   |
+| [Project][projects] | Any folder that contains a `Pulumi.yaml` file              | Collection of code                                                                   |
-| [Program]       | The code in a project                                      | Defines resources                                                                    |
+| [Program][programs]           | The code in a project                                      | Defines resources                                                                    |
-| [Stack]         | An isolated, independent instance of a _program_           | Has its own _configuration_ and _state_<br/>Usually defines an environment or branch |
+| [Stack][stacks]             | An isolated, independent instance of a _program_           | Has its own _configuration_ and _state_<br/>Usually defines an environment or branch |
-| [Configuration] | The specific data used in a _stack_                        | Each _stack_ has its own _configuration_                                             |
+| [Configuration][configurations]     | The specific data used in a _stack_                        | Each _stack_ has its own _configuration_                                             |
-| [State]         | Metadata about resources in a _stack_                      | Each _stack_ has its own _state_                                                     |
+| [State][states]             | Metadata about resources in a _stack_                      | Each _stack_ has its own _state_                                                     |
-| [Backend]       | Storage place for one or more _projects_' sets of _states_ |                                                                                      |
+| [Backend][backends]           | Storage place for one or more _projects_' sets of _states_ |                                                                                      |
 When a stack is not explicitly requested in a command (`-s`, `--stack`), Pulumi defaults to the currently selected
 one.<br/>
@@ -511,9 +514,9 @@ Learning resources:
 - [Code examples]
 - [Resources reference]
-## Project
+## Projects
-Refer to [projects] for more and updated information.
+Refer [Project][pulumi projects] for more and updated information.
 Projects are collections of code.<br/>
 Namely, they are the folders containing a `Pulumi.yaml` project file.<br/>
@@ -537,10 +540,10 @@ pulumi new 'kubernetes-yaml' --generate-only
 pulumi new 'oci-java'
 ```
-## Program
+## Programs
 Programs are the the files containing the resources' definitions.<br/>
-They are deployed into [stacks][stack].
+They are deployed into [stacks].
 ### Ignore changes
@@ -628,30 +631,30 @@ TODO
 See [Automatically Enforcing AWS Resource Tagging Policies], [Get started with Pulumi policy as code].
-## Stack
+## Stacks
-Refer to [stacks] for more and updated information.
+Refer [Stack][pulumi stack] for more and updated information.
-Single isolated, independent instance of a [program].<br/>
+Single isolated, independent instance of a [program][programs].<br/>
 Each stack has its own separate set of configuration and secrets, role-based access controls (RBAC), policies and
 resources.
 The stack name can be specified in one of these formats:
 - `stackName`: identifies the stack named `stackName` in the current user account or default organization.<br/>
-  Its [project] is specified by the nearest `Pulumi.yaml` project file.
+  Its [project][projects] is specified by the nearest `Pulumi.yaml` project file.
 - `orgName/stackName`: identifies the stack named `stackName` in the organization named `orgName`<br/>
-  Its [project] is specified by the nearest `Pulumi.yaml` project file.
+  Its [project][projects] is specified by the nearest `Pulumi.yaml` project file.
 - `orgName/projectName/stackName`: identifies the stack named `stackName` for the project named `projectName` in the
  organization named `orgName`.<br/>
  `projectName` must match the project specified by the nearest `Pulumi.yaml` project file.
-For self-managed [backends][backend], the `orgName` portion of the stack name must always be the constant string value
+For self-managed [backends], the `orgName` portion of the stack name must always be the constant string value
 `organization`.
 ### Monolith vs micro-stack
-Refer to [organizing pulumi projects & stacks] for more and updated information.
+Refer [Organizing pulumi projects & stacks] for more and updated information.
 Monoliths are single, big projects defining all the resources (infrastructure, application, others) for an entire set of
 services.<br/>
@@ -718,24 +721,23 @@ root/
        └── app/…
 ```
-### State
+### States
-Refer to [state] for more and updated information.
+Refer [State][pulumi state] for more and updated information.
-Every [stack] has its own state.
+Every [Stack][stacks] has its own state.
 States are stored in transactional snapshots called _checkpoints_ and are saved as JSON files.<br/>
 Pulumi records checkpoints early and often, so that it can execute similarly to how database transactions work.<br/>
-Checkpoints are stored in the [backend], under the `.pulumi/stacks/{project.name}` folder. See the
+Checkpoints are stored in the stack's [backend][backends], under the `.pulumi/stacks/{project.name}` folder.
 [backend] section for details.
-### Configuration
+### Configurations
 TODO
-## Backend
+## Backends
-Refer to [state] for more and updated information.
+Refer [State][pulumi state] for more and updated information.
 > Pulumi is designed to use only a single backend at a time.
@@ -760,7 +762,7 @@ The Pulumi Cloud backend records every checkpoint to allow to recover from exoti
 Self-managed backends may have more trouble recovering from these situations, as they typically store a single state
 file instead.
-Backends store the states of one or more [stacks][stack], divided by [project].
+Backends store the states of one or more [stacks], divided by [project][projects].
 Everything **but** the credentials for the backend (`~/.pulumi/credentials.json`) is stored in the backend's root
 directory, under the `.pulumi` folder:
@@ -881,9 +883,9 @@ backend:
   cat 'Pulumi.mario.yaml'
   ```
-## Compose resources
+## Composing resources
-FIXME: should this be under [Program]?
+FIXME: should this be under [Programs]?
 Refer [Component resources] and [Create a ComponentResource].
@@ -1166,9 +1168,9 @@ serviceRole.assumeRole.iamPolicy.name.apply(policyName => console.log(policyName
 </details>
-## Import resources
+## Importing resources
-FIXME: should this be under [Program] or [Stack]?
+FIXME: should this be under [Programs] or [Stacks]?
 Existing resources can be imported in Pulumi's states for Pulumi to manage.
@@ -1347,6 +1349,35 @@ $ pulumi preview
 </details>
 ## Pulumi Cloud
 ### ESC
 Environments, Secrets, and Configuration.
 Integrates with most popular secrets stores to pull and synchronize secrets and configuration data.
 Refer [Pulumi ESC][pulumi esc docs] for more and updated information.
 > [!important]
 > ESC is currently provided **exclusively** as part of Pulumi Cloud. One **will** need to create a Pulumi account to be
 > able to use it.
 ### IDP
 Internal Developer Platform.
 Allows defining building blocks using [components][composing resources] and templates, enabling developers to provision
 infrastructure resources in the way that best suits them.<br/>
 Developers can write Pulumi programs in their preferred programming language, scaffold components using low-code YAML
 templates, or deploy no-code programs from the Pulumi console.
 Refer [Pulumi IDP][pulumi idp docs] for more and updated information.
 > [!important]
 > IDP is currently provided **exclusively** as part of the Enterprise tier of Pulumi Cloud. One **will** need to create
 > a Pulumi account to be able to use it.
 ## Troubleshooting
 ### A project with the same name already exists
@@ -1484,8 +1515,6 @@ Solution: Read [secrets], and fix the configuration by providing a correct key i
 ### Sources
 - [Documentation]
 - [Stacks]
 - [State]
 - [Assigning tags by default on AWS with Pulumi]
 - [Organizing Pulumi projects & stacks]
 - [Aligning Projects between Service and Self-Managed Backends]
@@ -1508,16 +1537,18 @@ Solution: Read [secrets], and fix the configuration by providing a correct key i
  -->
 <!-- In-article sections -->
-[backend]: #backend
+[Backends]: #backends
-[configuration]: #configuration
+[Configurations]: #configurations
-[enforce specific backends for projects]: #enforce-specific-backends-for-projects
+[Enforce specific backends for projects]: #enforce-specific-backends-for-projects
-[monolith vs micro-stack]: #monolith-vs-micro-stack
+[Monolith vs micro-stack]: #monolith-vs-micro-stack
-[program]: #program
+[Programs]: #programs
-[project]: #project
+[Projects]: #projects
-[stack]: #stack
+[Stacks]: #stacks
 [States]: #states
 [Composing resources]: #composing-resources
 <!-- Knowledge base -->
-[terraform]: terraform.md
+[Terraform]: terraform.md
 <!-- Files -->
 <!-- Upstream -->
@@ -1535,21 +1566,23 @@ Solution: Read [secrets], and fix the configuration by providing a correct key i
 [ignorechanges]: https://www.pulumi.com/docs/concepts/options/ignorechanges/
 [importing resources]: https://www.pulumi.com/docs/iac/adopting-pulumi/import/
 [organizing pulumi projects & stacks]: https://www.pulumi.com/docs/using-pulumi/organizing-projects-stacks/
 [projects]: https://www.pulumi.com/docs/concepts/projects/
 [property paths]: https://www.pulumi.com/docs/iac/concepts/miscellaneous/property-paths/
 [pulumi config set-all]: https://www.pulumi.com/docs/cli/commands/pulumi_config_set-all/
 [pulumi crosswalk for aws]: https://www.pulumi.com/docs/iac/clouds/aws/guides/
 [pulumi esc docs]: https://www.pulumi.com/docs/esc/
 [pulumi idp docs]: https://www.pulumi.com/docs/idp/
 [pulumi import]: https://www.pulumi.com/docs/iac/cli/commands/pulumi_import/
 [pulumi new]: https://www.pulumi.com/docs/cli/commands/pulumi_new/
 [pulumi preview]: https://www.pulumi.com/docs/iac/cli/commands/pulumi_preview/
 [pulumi projects]: https://www.pulumi.com/docs/concepts/projects/
 [pulumi stack]: https://www.pulumi.com/docs/concepts/stack/
 [pulumi state]: https://www.pulumi.com/docs/concepts/state/
 [pulumi troubleshooting]: https://www.pulumi.com/docs/support/troubleshooting/
 [pulumi up --plan without error message (exit code 255)]: https://github.com/pulumi/pulumi/issues/11303#issuecomment-1311365793
 [pulumi-aws/issues/1366]: https://github.com/pulumi/pulumi-aws/issues/1366
 [resources reference]: https://www.pulumi.com/resources
 [secrets]: https://www.pulumi.com/docs/concepts/secrets/
 [stack references]: https://www.pulumi.com/docs/concepts/stack/#stackreferences
 [stacks]: https://www.pulumi.com/docs/concepts/stack/
 [state]: https://www.pulumi.com/docs/concepts/state/
 [update plans]: https://www.pulumi.com/docs/concepts/update-plans/
 [website]: https://www.pulumi.com/
 [workshops]: https://github.com/pulumi/workshops
--- a/management.md
+++ b/management.md
@@ -0,0 +1,76 @@
 # Secrets management
 1. [TL;DR](#tldr)
 1. [The problem at hand](#the-problem-at-hand)
 1. [Further readings](#further-readings)
   1. [Sources](#sources)
 ## TL;DR
 _Vaults_ and _secrets managers_ are centralized solution that manage secrets.<br/>
 Examples: [HashiCorp Vault], [OpenBao], [Bitwarden Secrets Manager], [1Password Secrets Automation], [CyberArk Conjur],
 [Akeyless].
 _Secrets orchestration platforms_ offer a transparent access point for users while being a vault itself and/or syncing
 secrets between multiple other vaults and secrets managers.<br/>
 Examples: [Doppler], [Infisical], [Pulumi ESC].
 Solutions should be easy to use and get **out** of their users' way, so that they can be more easily adopted.
 ## The problem at hand
 Secrets are usually bad managed in local development environments.<br/>
 The process of grabbing all required secrets on local machines is often manual, cumbersome, and prone to errors.<br/>
 This causes the onboarding process to slow down, and encourages developers to follow insecure practices when sharing
 secrets.
 Saving secrets in (possibly encrypted) git-tracked files (e.g. `.env`) still lacks the level of syncing teams might
 require.<br/>
 Even if notified, developers don't usually pull the updated files nor make all the required adjustments immediately,
 likely being then forced to lose time debugging issues due to deprecated or changed data.
 Even with a working synchronization process, it's common for developers to accidentally leak secrets as part of
 commits.<br/>
 As soon as a secret is part of the git history, it becomes a security issue and it is hard to get it removed
 properly.<br/>
 Though git hooks exist, it is likely for them to be misconfigured or simply skipped (`git commit --no-verify`).
 Having a centralized solution to manage secrets can come to the rescue, as long as it is adopted profusely.<br/>
 The only way this can happen is if that solution is easy to use and manage, and get **out** of the way of
 developers.<br/>
 _Vaults_ and _secrets managers_ usually do a good job for this.
 Tools might also integrate with or support only one or a small set of solutions, limiting the choice of platforms.<br/>
 It would be good to have a way to sync secrets between multiple platforms. Even better, to use a single access point to
 abstract the sync process and make it transparent.<br/>
 This is what _secrets orchestration platforms_ try to solve.
 ## Further readings
 - [HashiCorp Vault]
 - [Infisical]
 ### Sources
 - [Secrets Management Tools: The Complete 2025 Guide]
 <!--
  Reference
  ═╬═Time══
  -->
 <!-- In-article sections -->
 <!-- Knowledge base -->
 [HashiCorp Vault]: hashicorp%20vault.md
 [Infisical]: infisical.md
 [Pulumi ESC]: pulumi.md#esc
 <!-- Files -->
 <!-- Others -->
 [1Password Secrets Automation]: https://1password.com/developers/secrets-management
 [Akeyless]: https://www.akeyless.io/
 [Bitwarden secrets manager]: https://bitwarden.com/products/secrets-manager/
 [CyberArk Conjur]: https://www.conjur.org/
 [Doppler]: https://www.doppler.com/
 [OpenBao]: https://openbao.org/
 [Secrets Management Tools: The Complete 2025 Guide]: https://www.pulumi.com/blog/secrets-management-tools-guide/
--- a/snippets/aws/other
+++ b/snippets/aws/other
@@ -489,6 +489,18 @@ aws s3api list-buckets --output 'text' --query 'Buckets[].Name' | xargs -n '1' a
 aws --profile 'someProfile' s3api head-bucket --bucket 'someBucket'
 ###
 # Secrets
 # ------------------
 ###
 aws secretsmanager create-secret --name 'TestSecretFromFile' --secret-string 'file://mycreds.json'
 aws secretsmanager create-secret \
 	--name 'MyTestSecret' --description 'A test secret created with the CLI.' \
 	--secret-string '{"user":"diegor","password":"EXAMPLE-PASSWORD"}' \
 	--tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'
 ###
 # SNS
 # ------------------