Module 9 - Security

Secrets Management

Storing API keys, database passwords, and credentials securely.

1The Safety Deposit Box Analogy

Simple Analogy

You don't leave your valuables on the kitchen table. You put them in a safety deposit box at the bank. Secrets management is the same-don't leave API keys in code, put them in a secure vault.

Secrets are sensitive credentials: API keys, database passwords, private keys, tokens. Secrets management is storing, accessing, and rotating them securely.

2Where NOT to Store Secrets

In Source Code

git push → secret in GitHub → scraped by bots → compromised in minutes

In .env Files Committed to Git

.env in repo = .env in everyone's clone. Add to .gitignore!

In Docker Images

docker history exposes build args. Images on public registries = leaked secrets.

In Logs

Accidentally logging config or request bodies with secrets.

In Environment Variables (Unencrypted)

Better than code, but still visible with env command or process inspection.

3Secrets Management Solutions

AWS Secrets Manager

AWS native. Auto-rotation for RDS. $0.40/secret/month.

Automatic rotationFine-grained IAMAudit via CloudTrail

HashiCorp Vault

Industry standard. Self-hosted or HCP. Dynamic secrets.

Dynamic secrets (short-lived)Multiple auth methodsEncryption as a service

Azure Key Vault

Azure native. HSM-backed. Integrates with Azure services.

HSM protectionSoft deleteAzure AD integration

Google Secret Manager

GCP native. Simple API. Automatic replication.

VersioningIAM integrationRegional replication

4Best Practices

Never Commit Secrets

Use .gitignore, pre-commit hooks (like git-secrets), and CI checks.

Rotate Regularly

Automate rotation. If a secret is compromised, rotation limits damage window.

Least Privilege

Each service gets only the secrets it needs. Separate DB passwords per service.

Audit Access

Log who accessed which secrets. Alert on unusual access patterns.

Use Short-Lived Credentials

Dynamic secrets that expire. Better than static keys.

5Environment Variables Done Right

Hierarchy (from least to most secure)

Hardcoded in codeNever do this

.env file in repoStill bad

.env file (gitignored)OK for local dev

CI/CD secret variablesGood for deployments

Secrets manager at runtimeBest for production

6What to Do When Secrets Leak

Rotate immediately

Generate new secret. Deploy to all services.

Revoke the old secret

Invalidate the leaked credential in the provider.

Audit access logs

Check if the secret was used maliciously.

Find the leak source

Code? Logs? Screenshot? Fix the root cause.

Post-mortem

Document what happened. Improve processes.

7Key Takeaways

1Never commit secrets to version control. Use .gitignore + pre-commit hooks.

2Use a secrets manager: AWS Secrets Manager, Vault, etc.

3Rotate secrets regularly. Automate rotation where possible.

4Least privilege: each service gets only what it needs.

5When leaked: rotate, revoke, audit, fix, document.

?Quiz

1. You pushed an API key to GitHub. First step?

2. Best place for production database password?