home / skills / eyadsibai / ltk / secrets-management

secrets-management skill

safe

/plugins/ltk-devops/skills/secrets-management

This skill helps you implement secure secrets management across CI/CD using Vault, AWS Secrets Manager, and external tools to protect credentials.

npx playbooks add skill eyadsibai/ltk --skill secrets-management

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.6 KB

---
name: secrets-management
description: Use when implementing secrets management, using Vault, AWS Secrets Manager, handling credentials in CI/CD, or asking about "secrets", "Vault", "credentials", "secret rotation", "API keys", "external secrets operator"
version: 1.0.0
---

# Secrets Management

Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools.

## Secret Management Tools

| Tool | Best For |
|------|----------|
| HashiCorp Vault | Centralized, dynamic secrets |
| AWS Secrets Manager | AWS-native, auto-rotation |
| Azure Key Vault | Azure-native, HSM-backed |
| Google Secret Manager | GCP-native, IAM integration |

## HashiCorp Vault

### Setup

```bash
vault secrets enable -path=secret kv-v2
vault kv put secret/database/config username=admin password=secret
```

### GitHub Actions Integration

```yaml
- name: Import Secrets from Vault
  uses: hashicorp/vault-action@v2
  with:
    url: https://vault.example.com:8200
    token: ${{ secrets.VAULT_TOKEN }}
    secrets: |
      secret/data/database username | DB_USERNAME ;
      secret/data/database password | DB_PASSWORD
```

### GitLab CI Integration

```yaml
deploy:
  script:
    - export VAULT_ADDR=https://vault.example.com:8200
    - DB_PASSWORD=$(vault kv get -field=password secret/database/config)
```

## AWS Secrets Manager

### Store Secret

```bash
aws secretsmanager create-secret \
  --name production/database/password \
  --secret-string "super-secret-password"
```

### Retrieve in CI/CD

```yaml
- name: Get secret from AWS
  run: |
    SECRET=$(aws secretsmanager get-secret-value \
      --secret-id production/database/password \
      --query SecretString --output text)
    echo "::add-mask::$SECRET"
    echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV
```

### Terraform Integration

```hcl
data "aws_secretsmanager_secret_version" "db_password" {
  secret_id = "production/database/password"
}

resource "aws_db_instance" "main" {
  password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}
```

## External Secrets Operator (Kubernetes)

```yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"
      path: "secret"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "production"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
  data:
  - secretKey: password
    remoteRef:
      key: database/config
      property: password
```

## Secret Rotation

```python
def rotate_secret(secret_id):
    # Generate new password
    new_password = generate_strong_password()

    # Update database password
    update_database_password(new_password)

    # Update secret store
    client.put_secret_value(
        SecretId=secret_id,
        SecretString=json.dumps({'password': new_password})
    )
```

## Secret Scanning (Pre-commit)

```bash
#!/bin/bash
# .git/hooks/pre-commit
docker run --rm -v "$(pwd):/repo" \
  trufflesecurity/trufflehog:latest \
  filesystem --directory=/repo

if [ $? -ne 0 ]; then
  echo "Secret detected! Commit blocked."
  exit 1
fi
```

## Best Practices

1. **Never commit secrets** to Git
2. **Use different secrets** per environment
3. **Rotate secrets regularly**
4. **Implement least-privilege access**
5. **Enable audit logging**
6. **Use secret scanning** (GitGuardian, TruffleHog)
7. **Mask secrets in logs**
8. **Use short-lived tokens** when possible

Overview

This skill helps teams implement robust secrets management across CI/CD, cloud providers, and Kubernetes using Vault, AWS Secrets Manager, External Secrets Operator, and related tooling. It focuses on secure storage, retrieval, rotation, and scanning of credentials and API keys to reduce leak risk and meet compliance needs. Practical examples and patterns are provided for pipelines, Terraform, and rotation code.

How this skill works

The skill inspects common secrets workflows and supplies concrete configurations and scripts for secret storage, retrieval, and rotation. It maps providers (Vault, AWS Secrets Manager, GCP/Azure, External Secrets Operator) to CI/CD integrations and shows how to mask secrets, enable audit logging, and enforce least-privilege. It also includes patterns for pre-commit secret scanning and automating rotation with short-lived credentials.

When to use it

Setting up centralized secret storage for multiple environments
Integrating Vault or AWS Secrets Manager into CI/CD pipelines
Mounting external secrets into Kubernetes using External Secrets Operator
Automating secret rotation and propagation to dependent systems
Adding pre-commit or CI secret scanning to prevent leaks
Designing least-privilege access and audit trails for credentials

Best practices

Never commit secrets to source control; use secret stores instead
Use distinct secrets per environment and per service to limit blast radius
Rotate secrets regularly and automate rotation where possible
Grant least-privilege access with fine-grained roles and policies
Mask secrets in logs and enable audit logging on secret stores
Add secret scanning to commit hooks and CI to catch accidental exposures

Example use cases

Store DB credentials in Vault and fetch them at deploy time with a short-lived token
Use AWS Secrets Manager to auto-rotate production database passwords and inject into ECS tasks
Configure External Secrets Operator to sync Vault secrets into Kubernetes Secrets with refresh intervals
Add a pre-commit hook that runs TruffleHog or GitGuardian to block commits containing secrets
Use Terraform data sources to populate infrastructure resources from Secrets Manager during provisioning
Implement a rotation function that updates the database, then updates the secret store atomically

FAQ

How do I avoid exposing secrets in CI logs?

Mask secrets at the CI level (e.g., add-mask in GitHub Actions) and avoid printing secret variables. Use environment variables or runtime injection rather than writing secrets to stdout.

When should I use Vault vs AWS Secrets Manager?

Use Vault for centralized, multi-cloud workflows, dynamic secrets, and advanced secret engines. Use AWS Secrets Manager when you want native AWS integration and built-in rotation for AWS resources.