← Back to all products

Secrets Management Guide

$29

HashiCorp Vault setup, AWS Secrets Manager patterns, rotation scripts, and zero-trust secrets architecture.

📁 27 files
MarkdownTOMLShellJSONYAMLPythonAWSGitHub ActionsCI/CD

📄 Product Preview

Try the interactive reader and demo tools below, or get the full product with all content unlocked.

📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample

📁 File Structure 27 files

secrets-management-guide/ ├── LICENSE ├── README.md ├── aws/ │ ├── iam-policy-secrets-read.json │ ├── rotation_lambda.py │ └── secrets-manager-patterns.md ├── ci/ │ └── secrets-scan.yml ├── docs/ │ ├── migration-off-plaintext.md │ ├── rotation-runbook.md │ └── vault-setup-guide.md ├── examples/ │ └── sample-scan-output.txt ├── free-sample.zip ├── guide/ │ ├── 01-why-secrets-management-matters.md │ ├── 02-hashicorp-vault-deployment.md │ ├── 03-aws-secrets-manager-patterns.md │ ├── 04-secret-detection-and-ci-integration.md │ └── 05-rotation-strategies-and-migration.md ├── index.html ├── scripts/ │ ├── detect_committed_secrets.sh │ ├── rotate_secret.py │ └── scan_secrets.py └── vault/ ├── dynamic-db-secrets.sh ├── policies/ │ ├── app-read.hcl │ ├── ci-deploy.hcl │ └── rotation-operator.hcl ├── server.hcl └── setup-vault.sh

📖 Documentation Preview README excerpt

Secrets Management Guide

A hands-on, code-forward kit for getting secrets out of plaintext and under

real control: HashiCorp Vault setup and least-privilege policies, AWS Secrets

Manager patterns, automated rotation, dynamic database credentials, safe

secret handling in CI, detecting secrets already committed to git, and a staged

migration off plaintext that doesn't cause an outage.

Everything here is anonymized and uses placeholders (<VAULT_TOKEN>, RFC1918

addresses, the example AWS account 111122223333). Nothing in this kit contains

a real secret — and a bundled scanner helps make sure yours never ship either.


Who this is for

Platform/DevOps engineers, SREs, and security engineers who own — or are about

to own — how an organization stores, distributes, rotates, and audits secrets.

You should be comfortable on a Linux shell and with one cloud provider. No prior

Vault experience required; the setup guide starts from operator init.

What you get

  • A production-shaped Vault server config and three **least-privilege

policies** (app-read, ci-deploy, rotation-operator) with explicit denies.

  • A bootstrap script that initialises Vault, enables audit logging first,

mounts the core engines, and loads the policies.

  • A dynamic database secrets script that replaces shared DB passwords with

per-request, auto-expiring users — and rotates the bootstrap password away.

  • A complete, annotated AWS Secrets Manager rotation Lambda implementing the

four-step staged rotation contract, plus a least-privilege IAM policy.

  • A dependency-free secret scanner (regex + Shannon entropy) and a **history

scanner wrapper driving gitleaks/trufflehog, wired into a CI workflow**.

  • A pluggable rotation orchestrator for the static secrets that don't fit

dynamic engines, with generate → apply → verify → rollback semantics.

  • Three substantial guides: Vault setup, a rotation runbook (scheduled,

emergency, rollback), and a migration-off-plaintext playbook.


Prerequisites

ToolWhyNotes
Vault CLI ≥ 1.13server config, policies, enginesthe scripts call vault
Bash ≥ 4the .sh scriptssetup-vault.sh, etc.
Python ≥ 3.10the scanners + orchestratorstdlib only, no pip install
AWS CLI + boto3Secrets Manager patternsonly for the AWS portions
gitleaks or trufflehoghistory scanningoptional; scanner falls back

The Python tools (scan_secrets.py, rotate_secret.py) require **no external

packages**. The AWS rotation Lambda uses boto3, which the AWS Lambda runtime

provides — no install needed there either.


Quick start


# 1. Scan a repo for secrets right now (no setup needed):

*... continues with setup instructions, usage examples, and more.*

📄 Code Sample .py preview

aws/rotation_lambda.py #!/usr/bin/env python3 """AWS Secrets Manager rotation Lambda — four-step rotation state machine. This is a complete, annotated template for the rotation function AWS Secrets Manager invokes when you attach a rotation schedule to a secret. It implements the canonical four-step contract (createSecret, setSecret, testSecret, finishSecret) for a database-style credential held as JSON. WHY four steps: Secrets Manager uses staging labels (AWSCURRENT, AWSPENDING, AWSPREVIOUS) so rotation is atomic and reversible. A new value is staged as AWSPENDING, applied to the resource, tested, and only then promoted to AWSCURRENT. If any step fails, the old AWSCURRENT keeps working — zero outage. Runtime: AWS Lambda (python3.12). `boto3` is provided by the Lambda runtime, so no third-party install is required. Replace `apply_new_password_to_resource` and `verify_login` with calls to your actual target (RDS, a SaaS API, etc.). Deploy: package this single file, set the handler to `rotation_lambda.handler`, grant the function `secretsmanager:GetSecretValue/PutSecretValue/ UpdateSecretVersionStage/DescribeSecret` on the target secret only, and attach it via `aws secretsmanager rotate-secret --rotation-lambda-arn ...`. """ from __future__ import annotations import json import logging import os import secrets as pysecrets import string try: # boto3 is present in the Lambda runtime; guarded so the file imports anywhere. import boto3 except ImportError: # pragma: no cover - local lint/compile without boto3 installed boto3 = None # type: ignore[assignment] LOGGER = logging.getLogger() LOGGER.setLevel(os.environ.get("LOG_LEVEL", "INFO")) # Length of generated passwords. Long + random beats "complex" every time. PASSWORD_LENGTH = int(os.environ.get("ROTATION_PASSWORD_LENGTH", "40")) # Characters Secrets Manager rotation commonly excludes to avoid breaking # connection strings / shells. Tune to your target system's rules. EXCLUDE_CHARACTERS = os.environ.get("ROTATION_EXCLUDE_CHARS", "/@\"'\\`$ ") CURRENT = "AWSCURRENT" PENDING = "AWSPENDING" PREVIOUS = "AWSPREVIOUS" def _client(): # ... 141 more lines ...
Buy Now — $29 Back to Products