secrets-vault-manager

# Secrets Vault Manager **Tier:** POWERFUL **Category:** Engineering **Domain:** Security / Infrastructure / DevOps --- ## Overview Production secret infrastructure management for teams running HashiCorp Vault, cloud-native secret stores, or hybrid architectures. This skill covers policy authoring, auth method configuration, automated rotation, dynamic secrets, audit logging, and incident response. **Distinct from env-secrets-manager** which handles local `.env` file hygiene and leak detection. This skill operates at the infrastructure layer — Vault clusters, cloud KMS, certificate authorities, and CI/CD secret injection. ### When to Use - Standing up a new Vault cluster or migrating to a managed secret store - Designing auth methods for services, CI runners, and human operators - Implementing automated credential rotation (database, API keys, certificates) - Auditing secret access patterns for compliance (SOC 2, ISO 27001, HIPAA) - Responding to a secret leak that requires mass revocation - Integrating secrets into Kubernetes workloads or CI/CD pipelines --- ## HashiCorp Vault Patterns ### Architecture Decisions | Decision | Recommendation | Rationale | |----------|---------------|-----------| | Deployment mode | HA with Raft storage | No external dependency, built-in leader election | | Auto-unseal | Cloud KMS (AWS KMS / Azure Key Vault / GCP KMS) | Eliminates manual unseal, enables automated restarts | | Namespaces | One per environment (dev/staging/prod) | Blas...