managing-secretslisted

# Managing Secrets Secure storage, rotation, and delivery of secrets (API keys, database credentials, TLS certificates) for applications and infrastructure. ## When to Use This Skill Use when: - Storing API keys, database credentials, or encryption keys - Implementing secret rotation (manual or automatic) - Syncing secrets from external stores to Kubernetes - Setting up dynamic secrets (database, cloud providers) - Scanning code for leaked secrets - Implementing zero-knowledge patterns - Meeting compliance requirements (SOC 2, ISO 27001, PCI DSS) ## Quick Decision Frameworks ### Framework 1: Choosing a Secret Store | Scenario | Primary Choice | Alternative | |----------|----------------|-------------| | Kubernetes + Multi-Cloud | Vault + ESO | Cloud Secret Manager + ESO | | Kubernetes + Single Cloud | Cloud Secret Manager + ESO | Vault + ESO | | Serverless (AWS Lambda) | AWS Secrets Manager | AWS Parameter Store | | Multi-Cloud Enterprise | HashiCorp Vault | Doppler (SaaS) | | Small Team (<10 apps) | Doppler, Infisical | 1Password Secrets Automation | | GitOps-Centric | SOPS (git-encrypted) | Sealed Secrets (K8s-only) | **Decision Tree:** - Kubernetes? → External Secrets Operator (ESO) with chosen backend - Single cloud? → Cloud-native (AWS/GCP/Azure) - Multi-cloud/on-prem? → HashiCorp Vault - GitOps? → SOPS or Sealed Secrets ### Framework 2: Static vs. Dynamic Secrets | Secret Type | Use Dynamic? | TTL | Solution | |-------------|-------------|-----|----------| | Da