Module 9 · Protocols, Security, ObservabilityDay 08720 min

Secrets Management

Don't put secrets in env files; rotate them like passwords.

← Previous Next →

Day 087

Secrets Management

20m

focus

App

service

Secrets Mgr

service

datastore

Signal path

Secrets fetched at runtime

App

service

flow

Secrets Mgr

service

App

service

flow

datastore

Memory hook

Secrets Management: don't put secrets in env files

Mental model

design for the day something breaks

Design lens

Short-lived adds infra complexity.

Recall anchors

StorageRotationAudit

Why it matters

Secrets (DB passwords, API keys, signing keys) deserve their own infrastructure. A secrets manager stores, rotates, and audits access; apps fetch via short-lived creds.

1Use a secrets manager (Vault, AWS SM, GCP SM).
2Rotate automatically.
3Audit access.

Deep dive

Short-lived credentials (15-min IAM, mTLS-bound JWT) limit blast radius.

Rotate on schedule and on incident; tooling must support graceful overlap.

Audit reads; alert on unusual access patterns.

Demo / scenario

DB credentials in env files everywhere.

Move to secrets manager with versioning.
App reads via SDK at startup.
Rotate quarterly with overlap window.
Old version invalidated after deploy soak.

Tradeoffs

Short-lived adds infra complexity.
Apps must handle credential refresh.
Auditing is the long-term value.

Diagram

Secrets fetched at runtime.

Mind map

Check yourself

Loading quiz…

Sources & further reading

AWS Secrets Manager

← Previous Next →