Secrets Management

Definition

Secure storage and automatic rotation of sensitive information like passwords, API keys, certificates, and tokens used by applications.

Use Cases

• Netflix: Protecting credentials and tokens used by microservices running in AWS and reducing the risk of leaked long-lived secrets. — Netflix has publicly discussed using a centralized secrets system (its internal platform, often referenced as part of its security tooling) to distribute secrets to services with controlled access and auditing, rather than embedding credentials in code or images. (Reduced blast radius from credential exposure, improved operational control over secret distribution, and better alignment with least-privilege access patterns across many services.)
• GitHub: Preventing accidental exposure of credentials in repositories and enabling safer CI/CD by using short-lived or centrally managed secrets. — GitHub provides and uses secret-scanning and secure CI/CD patterns where workflows retrieve secrets from protected stores or encrypted secret variables rather than hardcoding them in source control. (Lower likelihood of credential leaks through code commits and improved security posture for automated build and deployment pipelines.)

Provider Equivalents

• AWS: AWS Secrets Manager
• Azure: Azure Key Vault
• GCP: Secret Manager
• OCI: OCI Vault

Frequently Asked Questions

What's the difference between Secrets Management and KMS (Key Management Service)?

KMS manages encryption keys (the keys used to encrypt/decrypt data). Secrets Management stores the sensitive values themselves (like database passwords or API tokens) and controls who/what can retrieve them. Many secrets services use KMS under the hood to encrypt secrets at rest, but they add features like secret versioning, access policies, auditing, and rotation workflows.

When should I use Secrets Management?

Use it whenever an application needs sensitive values (database credentials, third-party API keys, OAuth tokens, signing keys, TLS certificates) and you want to avoid hardcoding them in code, container images, or CI logs. It’s especially useful if you need regular rotation, centralized auditing, least-privilege access, and a standard way for multiple services/environments (dev/test/prod) to retrieve secrets safely.

How much does Secrets Management cost?

Costs usually depend on (1) how many secrets you store, (2) how often secrets are accessed (API calls), and (3) whether you use rotation or managed HSM options. For example, AWS Secrets Manager charges per secret per month plus API calls, while Azure Key Vault and GCP Secret Manager commonly charge based on operations (and sometimes per secret/version). OCI Vault pricing depends on vault type and operations. Rotation can add costs for the compute used to run rotation logic (for example, a serverless function) and any database/user-management operations involved.

Category: security

Difficulty: intermediate

Related Terms

• API Keys

See Also

• Encryption
• Password
• Firewall
• CloudTrail
• IAM