Secret Management and Rotation
A focused chapter on secret management and rotation, with practical delivery concerns, trade-offs, and the operational questions behind CI/CD work.
Why Your Database Password Should Never Live in a Config File
You are building a new application. Early on, you put all the variable data into one file: database name, server address, API URLs. It goes into Git, gets
Where Secrets Live: From Config Files to Vault
You are setting up a new application. You create a .env file with database credentials, API keys, and server addresses. It works on your machine. You
How Pipelines Access Secrets Without Storing Them
You have a pipeline that builds, tests, and deploys your application. Somewhere during that process, it needs a database password, an API key, or a
How Secrets Leak Through Logs, Build Artifacts, and Git History
You just finished setting up your CI/CD pipeline to securely fetch secrets from a vault. The pipeline runs, the application deploys, and everything looks
Rotating Secrets: Why, When, and How to Do It Without Breaking Your System
You have your secrets stored safely in a vault. Your pipeline injects them at deploy time. Everything looks solid. But there is a problem you might not
When a Database Password Lives Only Minutes Instead of Months
Your team has been rotating database passwords every three months. You feel safer than the teams that never rotate at all. But here is the uncomfortable
Who Saw That Secret? Why Audit Logs Matter More Than You Think
You get a notification at 3 AM. Someone used a production database credential to run a destructive query. The damage is done. Your first question is not
Why Your Team Needs a Secret Policy (Not Just a Vault)
You walk into a team room and ask five developers where they keep database passwords. One points to a .env file in the project root. Another has a private