
---

# 🔐 Env & Secrets (.env, Vault, KMS)

> **Intent** → Keep configuration **outside code** and protect **secrets** across dev/stage/prod with auditable, least-privilege access.

---

## 🧭 What Belongs Where

* **Environment variables**: non-secret config (feature flags, log level), secret *references* (URIs/keys).
* **Secret stores**: DB passwords, API keys, JWT signing keys, OAuth client secrets.
* **.env (local only)**: developer convenience; never commit; mirror prod names.

---

## 🧱 Options Overview

* **.env files** → fast local dev; easy to rotate locally; **not for prod**.
* **Cloud Secret Managers** (AWS Secrets Manager/SSM, GCP Secret Manager, Azure Key Vault) → managed storage, IAM policies, audit logs, versioning.
* **Vault** (HashiCorp) → dynamic secrets, lease/renew/revoke, rich policies.
* **KMS (AWS/GCP/Azure)** → encrypt/decrypt payloads or envelope-encrypt files; combine with a store.

---

## 🔑 Access & IAM

* App gets **short-lived credentials** (workload identity, service accounts).
* Scope permissions to **read only** specific secret paths.
* Rotate keys regularly; prefer **automatic rotation** if supported.

---

## 🔁 Load & Refresh Strategy

* **Startup fetch**: load secrets at boot (simple, fewer calls).
* **On-demand**: cache in memory; refresh on TTL/rotation event.
* Expose **health checks** that fail if critical secrets can’t be fetched.

---

## 📦 Packaging & Delivery

* Don’t bake secrets into images.
* Inject via **env** at deploy time (Kubernetes Secrets, ECS Task env, etc.).
* Use **sealed/encrypted** manifests if you must keep values in Git (SOPS + KMS).

---

## 🧪 Testing & Local Dev

* Provide a sample **`.env.example`** (names only, no real values).
* Use **test secrets** with reduced scope; never reuse prod keys.
* In CI, pull from a **CI-scoped secret store** (separate project/account).

---

## 🔐 Crypto & Keys

* Separate **signing keys** (JWT) from **encryption keys**.
* Prefer **asymmetric** keys for token signing (rotate without downtime).
* Store KMS key IDs in env; perform crypto via **KMS APIs** when feasible.

---

## 🧯 Incident Readiness

* Track **who accessed what** (audit trails).
* Roll secrets quickly: rotate, invalidate old, restart pods gracefully.
* Maintain **runbooks** for leaked key response.

---

## 📊 Observability

* Log **key usage metrics** (count, latency, errors)—never values.
* Alert on **access denials**, unusual spikes, or repeated decrypt failures.

---

## ✅ Outcome

Secrets stay **out of code and images**, managed by **proper IAM** with **rotation and auditability**, while your app reads config via **env** in a safe, portable way.
