Skip to content

Secrets Management

Rotation. Storage. Access control. Never in logs, never in repos, never in environment variables that get printed. Pipeline stage 5 catches leaks at commit time; the broader discipline catches them everywhere else.

Owners: DevOps, Tech Lead, Security Phase it lives in: How We Build (Volume IV) The corpus principle this enacts: Trust is the product.

Where it lives in the chain

How to do this

The four disciplines:

  1. Storage — a managed secrets store (Vault, AWS Secrets Manager, GCP Secret Manager). Never in source. Never in plain env files committed to source.
  2. Access — least privilege, audited. "Why does service B have read access to service A's database password?" If the answer isn't immediate, revoke.
  3. Rotation — every secret has a rotation cadence. Database credentials: quarterly. API tokens: monthly. Certificate keys: per cert lifetime. Rotation is automated — manual rotation gets skipped.
  4. Scan and revoke — pre-commit hook (stage 0), CI scan (stage 1), retroactive scan of git history. If a secret leaks, the secret is revoked and rotated first, then the leak is investigated.

What good practice looks like

A developer needs a third-party API token for local dev. They request it through the secrets workflow — provisioned to their environment, never committed. The token has dev-only scope with a 30-day expiry; production scope is paged-in for incidents, signed-off, time-boxed.

A secret leaks. The team doesn't ask "how do we hide this?" — they ask "how do we revoke this in the next 10 minutes?" The secret is rotated; the access audit is read; the incident is contained. The chain-aware label is configuration (operational) and integration-gap (chain-aware) — the secrets workflow was bypassed.

A team that stores secrets in Slack threads or 1Password lockers nobody knows about is a team where every offboarding is a security event. The chain's discipline is to make the right thing easy: a one-command fetch from the secrets store; a one-PR addition of a new secret; a one-click revocation. When the right thing is easy, the wrong thing stays rare.

200apps · How We Work · NWIRE