Secrets Management Guide
HashiCorp Vault setup, AWS Secrets Manager patterns, rotation scripts, and zero-trust secrets architecture.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 27 files
📖 Documentation Preview README excerpt
Secrets Management Guide
A hands-on, code-forward kit for getting secrets out of plaintext and under
real control: HashiCorp Vault setup and least-privilege policies, AWS Secrets
Manager patterns, automated rotation, dynamic database credentials, safe
secret handling in CI, detecting secrets already committed to git, and a staged
migration off plaintext that doesn't cause an outage.
Everything here is anonymized and uses placeholders (<VAULT_TOKEN>, RFC1918
addresses, the example AWS account 111122223333). Nothing in this kit contains
a real secret — and a bundled scanner helps make sure yours never ship either.
Who this is for
Platform/DevOps engineers, SREs, and security engineers who own — or are about
to own — how an organization stores, distributes, rotates, and audits secrets.
You should be comfortable on a Linux shell and with one cloud provider. No prior
Vault experience required; the setup guide starts from operator init.
What you get
- A production-shaped Vault server config and three **least-privilege
policies** (app-read, ci-deploy, rotation-operator) with explicit denies.
- A bootstrap script that initialises Vault, enables audit logging first,
mounts the core engines, and loads the policies.
- A dynamic database secrets script that replaces shared DB passwords with
per-request, auto-expiring users — and rotates the bootstrap password away.
- A complete, annotated AWS Secrets Manager rotation Lambda implementing the
four-step staged rotation contract, plus a least-privilege IAM policy.
- A dependency-free secret scanner (regex + Shannon entropy) and a **history
scanner wrapper driving gitleaks/trufflehog, wired into a CI workflow**.
- A pluggable rotation orchestrator for the static secrets that don't fit
dynamic engines, with generate → apply → verify → rollback semantics.
- Three substantial guides: Vault setup, a rotation runbook (scheduled,
emergency, rollback), and a migration-off-plaintext playbook.
Prerequisites
| Tool | Why | Notes |
|---|---|---|
| Vault CLI ≥ 1.13 | server config, policies, engines | the scripts call vault |
| Bash ≥ 4 | the .sh scripts | setup-vault.sh, etc. |
| Python ≥ 3.10 | the scanners + orchestrator | stdlib only, no pip install |
| AWS CLI + boto3 | Secrets Manager patterns | only for the AWS portions |
| gitleaks or trufflehog | history scanning | optional; scanner falls back |
The Python tools (scan_secrets.py, rotate_secret.py) require **no external
packages**. The AWS rotation Lambda uses boto3, which the AWS Lambda runtime
provides — no install needed there either.
Quick start
# 1. Scan a repo for secrets right now (no setup needed):
*... continues with setup instructions, usage examples, and more.*