Security

Secrets Management

Best practices for managing database credentials and API keys securely

Secure secrets management is critical for protecting your database credentials, API keys, and other sensitive configuration. This guide covers best practices and recommended tools for managing secrets in your applications.

Why Secrets Management Matters#

Hardcoded credentials in source code are a leading cause of security breaches. Proper secrets management:

  • Prevents credential exposure in version control
  • Enables credential rotation without code changes
  • Provides audit trails for compliance
  • Supports environment separation (dev, staging, prod)

Environment Variables#

The simplest approach is storing secrets in environment variables:

1
# Set environment variable
2
export DATABASE_URL="postgresql://user:password@host:5432/db"
1
# Access in your application
2
import os
3
database_url = os.environ.get('DATABASE_URL')

Cloud Provider Solutions#

ToolBest ForFeatures
AWS Secrets ManagerAWS workloadsAutomatic rotation, IAM integration, cross-account access
Azure Key VaultAzure workloadsHSM-backed keys, RBAC, managed identities
Google Secret ManagerGCP workloadsAutomatic replication, IAM policies, versioning

Third-Party Solutions#

ToolBest ForFeatures
HashiCorp VaultMulti-cloud, on-premisesDynamic secrets, encryption as a service, PKI
DopplerDeveloper teamsCLI integration, environment sync, audit logs
1Password Secrets AutomationTeams using 1PasswordCI/CD integration, secret references

Kubernetes-Native Solutions#

ToolBest ForFeatures
External Secrets OperatorK8s with cloud providersSyncs from Vault, AWS, Azure, GCP
Sealed SecretsGitOps workflowsEncrypt secrets for safe Git storage
SOPSFlux CD usersFile encryption with multiple backends

Best Practices#

1. Rotate Credentials Regularly#

Implement automated credential rotation:

  • Database passwords: Every 90 days minimum
  • API keys: Every 30-90 days
  • Service accounts: On personnel changes

2. Use Least Privilege#

Grant minimal permissions required:

  • Separate read-only and read-write credentials
  • Use database roles with specific permissions
  • Avoid using superuser credentials in applications

3. Audit Access#

Maintain logs of secret access:

  • Enable audit logging in your secrets manager
  • Monitor for unusual access patterns
  • Review access regularly

4. Separate Environments#

Use different credentials per environment:

  • Development credentials should never access production
  • Use naming conventions to prevent confusion
  • Implement network segmentation

Integration Examples#

AWS Secrets Manager with Python#

1
import boto3
2
import json
3
4
def get_secret(secret_name):
5
    client = boto3.client('secretsmanager')
6
    response = client.get_secret_value(SecretId=secret_name)
7
    return json.loads(response['SecretString'])
8
9
# Usage
10
secrets = get_secret('prod/database/credentials')
11
connection_string = secrets['DATABASE_URL']

HashiCorp Vault with Environment Variables#

1
# Using Vault CLI
2
export DATABASE_URL=$(vault kv get -field=url secret/database)

GitHub Secret Scanning#

BA is a GitHub Secret Scanning Partner. If your credentials are accidentally committed to a public repository, GitHub notifies us and we alert you immediately.

If credentials are exposed:

  1. Rotate the compromised credentials immediately
  2. Review access logs for unauthorized usage
  3. Check for any data exposure
  4. Contact [email protected] if needed

Frequently Asked Questions#

What happens if I accidentally commit credentials? Rotate them immediately. Even if you remove the commit, credentials may be cached or scraped. BA participates in GitHub Secret Scanning to help detect exposed credentials.

Should I encrypt secrets at rest? Yes. Use a secrets manager that encrypts secrets at rest (AES-256) and in transit (TLS). Avoid storing secrets in plain text files.

How do I manage secrets in CI/CD pipelines? Use your CI/CD platform's secrets feature (GitHub Secrets, GitLab CI Variables) or integrate with your secrets manager. Never echo secrets in logs.