Secrets & Key Management
AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, KMS
Secrets management ensures that database passwords, API keys, TLS certificates, and encryption keys are never hardcoded or stored in version control. AWS Secrets Manager provides automatic rotation for RDS, Redshift, and DocumentDB credentials via Lambda; Azure Key Vault stores secrets, keys, and certificates with HSM-backed options; and HashiCorp Vault is the cloud-agnostic leader supporting dynamic secrets, PKI, and multiple auth methods. All integrate with AWS KMS / Azure Key Vault / GCP Cloud KMS for envelope encryption of secrets at rest.
Key Points
- AWS Secrets Manager rotation works by calling a Lambda function on a configurable schedule (e.g., every 30 days); the old secret remains valid during rotation window to avoid downtime.
- AWS KMS Customer Managed Keys (CMKs) allow full audit of key usage via CloudTrail, key rotation every 365 days, and cross-account sharing for multi-account architectures.
- Azure Key Vault Soft Delete (90-day retention) and Purge Protection prevent accidental or malicious deletion of keys used to encrypt production data.
- HashiCorp Vault dynamic secrets: Vault generates short-lived, just-in-time credentials (e.g., a PostgreSQL user valid for 1 hour) — eliminates shared, long-lived database passwords.
- Envelope encryption: data is encrypted with a Data Encryption Key (DEK); the DEK itself is encrypted with a Key Encryption Key (KEK) stored in KMS — rotating KEK does not require re-encrypting all data.
- Kubernetes secrets are base64-encoded (not encrypted) by default — always enable etcd encryption at rest and use External Secrets Operator to sync from Vault/AWS Secrets Manager.
- Vault AppRole auth and Kubernetes auth methods allow applications to authenticate to Vault without static credentials, using a role ID + secret ID or a pod service account JWT respectively.
- Secret sprawl audit: use AWS Config rules, Azure Policy, or Vault's lease/accessor audit log to detect secrets that have not been rotated within policy windows.
Real-World Example
HashiCorp Vault is used by Pinterest to manage 1000+ secrets across its microservices, with dynamic database credentials reducing the blast radius of a compromised service to under one hour of credential validity.