Secrets management

Secrets management involves securely storing, distributing, and rotating sensitive credentials—API keys, passwords, encryption keys, TLS certificates—used by applications and services. Typically, a secrets management tool (like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) provides a centralized repository where secrets are encrypted at rest, tightly controlled by ACLs, and delivered to authorized clients on-demand.

How does it affect identity security?

Hardcoding secrets in application code or config files is a major security risk, as attackers can easily retrieve them from source control or logs. Secrets management centralizes these credentials, logs access requests, enforces least privilege, and automates rotation. This prevents long-lived secrets from being a perpetual attack vector. 

Cloud providers offer secrets management services that integrate with IAM. For instance, AWS Secrets Manager can require an IAM role or a KMS key policy to retrieve a secret. Azure Key Vault can limit secret retrieval to certain managed identities. This synergy with IAM ensures only the right identities can fetch secrets. In DevOps, secrets management tools unify credentials across pipeline stages, restricting human access. They also rotate keys automatically for databases or external APIs, reducing the impact of any leaked credential.

Proper secrets management also helps meet compliance requirements for handling encryption keys or database passwords. By limiting who (or which service) can retrieve each secret, the system ensures that an attacker who compromises one app doesn’t automatically get credentials for all.

Case study

Public build logs on Travis CI sometimes contained environment variables (API tokens, keys), inadvertently published to the internet. Proper secrets management—storing tokens in a secure vault and injecting them at runtime—would have prevented embedding secrets in logs.

‍