IDSync — identity software buyer platform
Run Stack Finder

Machine Identity

Secrets Management

Secrets management is the discipline (and tooling) for securely storing, distributing, rotating, and auditing access to sensitive values — API keys, database passwords, TLS keys, OAuth client secrets — used by humans and workloads.

Last reviewed 5/30/2026

Key points

  • Eliminates secrets in source control, env files, CI configs, and Slack messages.
  • Core capabilities: encrypted storage, fine-grained access policies, audit logs, dynamic secrets, rotation, leasing.
  • Tools: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, Doppler, Infisical, 1Password Secrets Automation, CyberArk Conjur.
  • Dynamic secrets (Vault DB secrets engine, etc.) issue short-lived credentials per use — better than rotating long-lived ones.
  • Adjacent to NHI governance and workload identity — secrets management is the storage layer; NHI tools are the inventory & policy layer.

What is secrets management?

Secrets management is the discipline of giving applications, services, and people the credentials they need — without spreading those credentials across env files, repos, CI configs, and chat tools.

A secrets manager is a hardened store (often backed by an HSM or KMS) that:

  • Stores secrets encrypted at rest.
  • Enforces fine-grained access policies (which workload / human can read which secret).
  • Logs every read for audit and forensics.
  • Rotates secrets on a schedule or on demand.
  • (Best-of-breed) issues dynamic, short-lived secrets on demand — e.g. Vault's database secrets engine generates a per-session DB user that expires automatically.

Why it matters

  • Credential leaks remain a top initial-access vector — GitHub secret-scanning catches thousands of exposed secrets daily.
  • Compliance (SOC 2 CC6.1, PCI 8, ISO 27001 A.9) requires controlled storage and rotation.
  • Static long-lived secrets are incompatible with Zero Trust.

Common shapes of solution

| Tool | Strength | | --- | --- | | HashiCorp Vault | Multi-cloud, dynamic secrets, PKI engine, transit encryption | | AWS Secrets Manager / GCP / Azure | Cloud-native, deep IAM integration, easiest if you're single-cloud | | Doppler / Infisical / 1Password | Developer-friendly UX, app config + secrets | | CyberArk Conjur | Enterprise, often paired with their PAM |

Secrets management vs PAM vs NHI

  • PAM governs human privileged sessions and vaulted human credentials.
  • Secrets management governs application credentials.
  • NHI tools govern the inventory and lifecycle of non-human identities, often plugging into both.

Common mistakes

  • Storing secrets in Git — even private repos. Use pre-commit hooks (gitleaks, trufflehog) plus push protection.
  • One vault token per app, never rotated — defeats the purpose.
  • No audit / no alerting — secrets reads should be observable.
  • Secrets in CI logs — mask them; treat CI as untrusted.

Editorial note

If you're starting from scratch and on a single cloud, the native secrets manager is usually the right first call. Vault wins when you're multi-cloud, need dynamic secrets, or need PKI / transit encryption alongside.