brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7bf0325b92eb5f6f05b7844a011b012477672bbb
oam/knowledge base/secrets management.md
Michele Cereda 9ca7296180 chore(secrets-management): expand a little
2025-08-03 12:00:37 +02:00

3.4 KiB
Raw Blame History

Secrets management

  1. TL;DR
  2. The problem at hand
  3. Further readings
    1. Sources

TL;DR

Secrets managers (A.K.A. vaults or secrets stores) are centralized solution that manage secrets.
Examples: HashiCorp Vault, OpenBao, Bitwarden Secrets Manager, 1Password Secrets Automation, CyberArk Conjur, Akeyless.

Secrets orchestration platforms offer a transparent access point for users while being a secrets manager itself and/or syncing secrets between multiple other secrets managers.
Examples: Doppler, Infisical, Phase, Pulumi ESC.

Solutions should be easy to use and get out of their users' way, so that they can be more easily adopted.

The problem at hand

Secrets are usually bad managed in local development environments.
The process of grabbing all required secrets on local machines is often manual, cumbersome, and prone to errors.
This causes the onboarding process to slow down, and encourages developers to follow insecure practices when sharing secrets.

Saving secrets in (possibly encrypted) git-tracked files (e.g. .env) still lacks the level of syncing teams might require.
Even if notified, developers don't usually pull the updated files nor make all the required adjustments immediately, likely being then forced to lose time debugging issues due to deprecated or changed data.

Even with a working synchronization process, it's common for developers to accidentally leak secrets as part of commits.
As soon as a secret is part of the git history, it becomes a security issue and it is hard to get it removed properly.
Though git hooks exist, it is likely for them to be misconfigured or simply skipped (git commit --no-verify).

Having a centralized solution to manage secrets can come to the rescue, as long as it is adopted profusely.
The only way this can happen is if that solution is easy to use and manage, and get out of the way of developers.
Secrets managers usually do a good job for this.

Tools might also integrate with or support only one or a small set of solutions, limiting the choice of platforms.
It would be good to have a way to sync secrets between multiple platforms. Even better, to use a single access point to abstract the sync process and make it transparent.
This is what secrets orchestration platforms try to solve.

Further readings

Sources