# Secrets Management — Overview

Secrets management protects sensitive data (API keys, passwords, certificates) throughout their lifecycle. Poor secrets handling is a leading cause of security breaches.

## Why secrets management matters

| Risk | Consequence |
| --- | --- |
| Hardcoded secrets in code | Exposed in version control, logs |
| Secrets in env vars | Visible in process listings, crash dumps |
| No rotation | Unlimited exposure window if leaked |
| Shared secrets | No audit trail, difficult revocation |

## Key principles

1. **Never hardcode** — Secrets should never appear in source code
2. **Encrypt at rest** — Store secrets encrypted, not plaintext
3. **Encrypt in transit** — Use TLS for secret retrieval
4. **Least privilege** — Apps only access secrets they need
5. **Rotate regularly** — Automated rotation limits exposure
6. **Audit access** — Log who accessed what and when

## Solutions comparison

| Solution | Type | Best for |
| --- | --- | --- |
| HashiCorp Vault | Self-hosted / HCP | Multi-cloud, on-prem, dynamic secrets |
| AWS Secrets Manager | Managed | AWS-native workloads |
| AWS Parameter Store | Managed | Simple config + secrets in AWS |
| Azure Key Vault | Managed | Azure-native workloads |
| GCP Secret Manager | Managed | GCP-native workloads |
| Kubernetes Secrets | Native | Simple K8s deployments |
| External Secrets Operator | K8s controller | Sync external secrets to K8s |

## HashiCorp Vault

Industry-standard secrets manager supporting dynamic secrets, encryption-as-a-service, and identity-based access.

### Key features
- **Dynamic secrets** — Generate short-lived credentials on-demand
- **Secret engines** — AWS, databases, PKI, SSH, and more
- **Auth methods** — Kubernetes, OIDC, AWS IAM, AppRole
- **Policies** — Fine-grained access control

```bash
# Start Vault dev server
vault server -dev

# Write a secret
vault kv put secret/myapp/config \
  db_user="admin" \
  db_pass="s3cr3t"

# Read a secret
vault kv get secret/myapp/config
vault kv get -field=db_pass secret/myapp/config

# Enable database secrets engine (dynamic credentials)
vault secrets enable database

vault write database/config/postgres \
  plugin_name=postgresql-database-plugin \
  connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb" \
  allowed_roles="readonly" \
  username="vault_admin" \
  password="vault_pass"

vault write database/roles/readonly \
  db_name=postgres \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

# Get dynamic database credentials
vault read database/creds/readonly
```

## AWS Secrets Manager

Managed service with automatic rotation for RDS, Redshift, and DocumentDB.

```bash
# Create a secret
aws secretsmanager create-secret \
  --name myapp/prod/db-creds \
  --secret-string '{"username":"admin","password":"s3cr3t"}'

# Retrieve a secret
aws secretsmanager get-secret-value \
  --secret-id myapp/prod/db-creds

# Enable automatic rotation (for RDS)
aws secretsmanager rotate-secret \
  --secret-id myapp/prod/db-creds \
  --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789:function:SecretsRotation \
  --rotation-rules AutomaticallyAfterDays=30
```

**Python SDK example:**
```python
import boto3
import json

client = boto3.client('secretsmanager')

response = client.get_secret_value(SecretId='myapp/prod/db-creds')
secret = json.loads(response['SecretString'])

db_user = secret['username']
db_pass = secret['password']
```

## Kubernetes Secrets

Native K8s resource for storing sensitive data. **Note:** Base64-encoded, not encrypted by default.

```yaml
# Create a secret
apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
type: Opaque
stringData:  # Use stringData for plain text (auto-encoded)
  username: admin
  password: s3cr3t

---
# Use in a Pod as environment variables
apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
  - name: app
    image: myapp:latest
    env:
    - name: DB_USER
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: username
    - name: DB_PASS
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: password

---
# Or mount as files
apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
  - name: app
    image: myapp:latest
    volumeMounts:
    - name: secrets
      mountPath: /etc/secrets
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: db-credentials
```

**Enable encryption at rest:**
```yaml
# /etc/kubernetes/encryption-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: <base64-encoded-32-byte-key>
      - identity: {}
```

## External Secrets Operator

Syncs secrets from external managers (Vault, AWS, Azure, GCP) into Kubernetes.

```yaml
# SecretStore pointing to AWS Secrets Manager
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa

---
# ExternalSecret that syncs to K8s Secret
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets
    kind: SecretStore
  target:
    name: db-credentials
    creationPolicy: Owner
  data:
  - secretKey: username
    remoteRef:
      key: myapp/prod/db-creds
      property: username
  - secretKey: password
    remoteRef:
      key: myapp/prod/db-creds
      property: password
```

## Mini example: Secrets solution comparison

In [None]:
import pandas as pd
import plotly.express as px

solutions = pd.DataFrame({
    "Solution": ["Vault", "AWS SM", "K8s Secrets", "Azure KV", "GCP SM"],
    "Dynamic Secrets": [10, 5, 0, 3, 3],
    "Rotation": [10, 8, 2, 7, 7],
    "Multi-cloud": [10, 3, 5, 3, 3],
    "Ease of Use": [5, 8, 9, 8, 8],
    "Cost": [6, 7, 10, 7, 7],  # Higher = cheaper
})

fig = px.line_polar(
    solutions.melt(id_vars="Solution", var_name="Feature", value_name="Score"),
    r="Score", theta="Feature", color="Solution", line_close=True,
    title="Secrets management solutions comparison"
)
fig.update_traces(fill="toself")
fig.update_layout(polar=dict(radialaxis=dict(range=[0, 10])))
fig

## Best practices

1. **Use a dedicated secrets manager** — Don't rely on env vars or config files
2. **Enable encryption at rest** — For K8s secrets, enable etcd encryption
3. **Implement rotation** — Automate credential rotation
4. **Use short-lived credentials** — Dynamic secrets reduce blast radius
5. **Audit access** — Enable logging for all secret access
6. **Scan for leaks** — Use tools like truffleHog, git-secrets in CI/CD
7. **Separate by environment** — Different secrets for dev/staging/prod