Pipeline & Operations · master area
Secrets Management
Rotation. Storage. Access control. Never in logs, never in repos, never in environment variables that get printed. Pipeline stage 5 catches leaks at commit time; the broader discipline catches them everywhere else.
Owners: DevOps, Tech Lead, Security Phase it lives in: How We Build (Volume IV) The corpus principle this enacts: Trust is the product.
Where it lives in the chain
- How We Build · The Pipeline — secrets scan is a pipeline stage
- How We Build · Domain Language and Composition — where secrets surface in service composition
How to do this
The four disciplines:
- Storage — a managed secrets store (Vault, AWS Secrets Manager, GCP Secret Manager). Never in source. Never in plain env files committed to source.
- Access — least privilege, audited. "Why does service B have read access to service A's database password?" If the answer isn't immediate, revoke.
- Rotation — every secret has a rotation cadence. Database credentials: quarterly. API tokens: monthly. Certificate keys: per cert lifetime. Rotation is automated — manual rotation gets skipped.
- Scan and revoke — pre-commit hook (stage 0), CI scan (stage 1), retroactive scan of git history. If a secret leaks, the secret is revoked and rotated first, then the leak is investigated.
What good practice looks like
A developer needs a third-party API token for local dev. They request it through the secrets workflow — provisioned to their environment, never committed. The token has dev-only scope with a 30-day expiry; production scope is paged-in for incidents, signed-off, time-boxed.
A secret leaks. The team doesn't ask "how do we hide this?" — they ask "how do we revoke this in the next 10 minutes?" The secret is rotated; the access audit is read; the incident is contained. The chain-aware label is configuration (operational) and integration-gap (chain-aware) — the secrets workflow was bypassed.
A team that stores secrets in Slack threads or 1Password lockers nobody knows about is a team where every offboarding is a security event. The chain's discipline is to make the right thing easy: a one-command fetch from the secrets store; a one-PR addition of a new secret; a one-click revocation. When the right thing is easy, the wrong thing stays rare.
Related crafts
- Security Testing (SAST/SCA/Secrets) — the leak detector
- Infrastructure as Code — never put secrets in IaC source
- Security Architecture — the bigger frame