Secrets Management
Secure your CI/CD pipelines with enterprise-grade secrets management
✨ The solution you've been looking for
Verified
Tested and verified by our team
25450 Stars
Implement secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, or native platform solutions. Use when handling sensitive credentials, rotating secrets, or securing CI/CD environments.
secrets-management
cicd
security
vault
aws-secrets-manager
devops
automation
credentials
See It In Action
Interactive preview & real-world examples
Live Demo
AI Conversation Simulator
See how users interact with this skill
User Prompt
I need to securely manage database passwords for my production deployment pipeline. The passwords should be rotated automatically and accessed securely by GitHub Actions.
Skill Processing
Analyzing request...
Agent Response
Implementation of AWS Secrets Manager or Vault integration with automated rotation and secure retrieval in your CI/CD pipeline
Quick Start (3 Steps)
Get up and running in minutes
1
Install
claude-code skill install secrets-management
claude-code skill install secrets-management2
Config
3
First Trigger
@secrets-management helpCommands
| Command | Description | Required Args |
|---|---|---|
| @secrets-management database-credentials-management | Store and rotate database passwords securely across multiple environments without hardcoding credentials in CI/CD pipelines | None |
| @secrets-management api-key-security | Centralize API key management with proper access controls and audit logging for multi-service deployments | None |
| @secrets-management certificate-management | Automate TLS certificate storage, rotation, and deployment across your infrastructure using cloud-native secret stores | None |
Typical Use Cases
Database Credentials Management
Store and rotate database passwords securely across multiple environments without hardcoding credentials in CI/CD pipelines
API Key Security
Centralize API key management with proper access controls and audit logging for multi-service deployments
Certificate Management
Automate TLS certificate storage, rotation, and deployment across your infrastructure using cloud-native secret stores
Overview
Secrets Management
Secure secrets management practices for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools.
Purpose
Implement secure secrets management in CI/CD pipelines without hardcoding sensitive information.
When to Use
- Store API keys and credentials
- Manage database passwords
- Handle TLS certificates
- Rotate secrets automatically
- Implement least-privilege access
Secrets Management Tools
HashiCorp Vault
- Centralized secrets management
- Dynamic secrets generation
- Secret rotation
- Audit logging
- Fine-grained access control
AWS Secrets Manager
- AWS-native solution
- Automatic rotation
- Integration with RDS
- CloudFormation support
Azure Key Vault
- Azure-native solution
- HSM-backed keys
- Certificate management
- RBAC integration
Google Secret Manager
- GCP-native solution
- Versioning
- IAM integration
HashiCorp Vault Integration
Setup Vault
1# Start Vault dev server
2vault server -dev
3
4# Set environment
5export VAULT_ADDR='http://127.0.0.1:8200'
6export VAULT_TOKEN='root'
7
8# Enable secrets engine
9vault secrets enable -path=secret kv-v2
10
11# Store secret
12vault kv put secret/database/config username=admin password=secret
GitHub Actions with Vault
1name: Deploy with Vault Secrets
2
3on: [push]
4
5jobs:
6 deploy:
7 runs-on: ubuntu-latest
8 steps:
9 - uses: actions/checkout@v4
10
11 - name: Import Secrets from Vault
12 uses: hashicorp/vault-action@v2
13 with:
14 url: https://vault.example.com:8200
15 token: ${{ secrets.VAULT_TOKEN }}
16 secrets: |
17 secret/data/database username | DB_USERNAME ;
18 secret/data/database password | DB_PASSWORD ;
19 secret/data/api key | API_KEY
20
21 - name: Use secrets
22 run: |
23 echo "Connecting to database as $DB_USERNAME"
24 # Use $DB_PASSWORD, $API_KEY
GitLab CI with Vault
1deploy:
2 image: vault:latest
3 before_script:
4 - export VAULT_ADDR=https://vault.example.com:8200
5 - export VAULT_TOKEN=$VAULT_TOKEN
6 - apk add curl jq
7 script:
8 - |
9 DB_PASSWORD=$(vault kv get -field=password secret/database/config)
10 API_KEY=$(vault kv get -field=key secret/api/credentials)
11 echo "Deploying with secrets..."
12 # Use $DB_PASSWORD, $API_KEY
Reference: See references/vault-setup.md
AWS Secrets Manager
Store Secret
1aws secretsmanager create-secret \
2 --name production/database/password \
3 --secret-string "super-secret-password"
Retrieve in GitHub Actions
1- name: Configure AWS credentials
2 uses: aws-actions/configure-aws-credentials@v4
3 with:
4 aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
5 aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
6 aws-region: us-west-2
7
8- name: Get secret from AWS
9 run: |
10 SECRET=$(aws secretsmanager get-secret-value \
11 --secret-id production/database/password \
12 --query SecretString \
13 --output text)
14 echo "::add-mask::$SECRET"
15 echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV
16
17- name: Use secret
18 run: |
19 # Use $DB_PASSWORD
20 ./deploy.sh
Terraform with AWS Secrets Manager
1data "aws_secretsmanager_secret_version" "db_password" {
2 secret_id = "production/database/password"
3}
4
5resource "aws_db_instance" "main" {
6 allocated_storage = 100
7 engine = "postgres"
8 instance_class = "db.t3.large"
9 username = "admin"
10 password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
11}
GitHub Secrets
Organization/Repository Secrets
1- name: Use GitHub secret
2 run: |
3 echo "API Key: ${{ secrets.API_KEY }}"
4 echo "Database URL: ${{ secrets.DATABASE_URL }}"
Environment Secrets
1deploy:
2 runs-on: ubuntu-latest
3 environment: production
4 steps:
5 - name: Deploy
6 run: |
7 echo "Deploying with ${{ secrets.PROD_API_KEY }}"
Reference: See references/github-secrets.md
GitLab CI/CD Variables
Project Variables
1deploy:
2 script:
3 - echo "Deploying with $API_KEY"
4 - echo "Database: $DATABASE_URL"
Protected and Masked Variables
- Protected: Only available in protected branches
- Masked: Hidden in job logs
- File type: Stored as file
Best Practices
- Never commit secrets to Git
- Use different secrets per environment
- Rotate secrets regularly
- Implement least-privilege access
- Enable audit logging
- Use secret scanning (GitGuardian, TruffleHog)
- Mask secrets in logs
- Encrypt secrets at rest
- Use short-lived tokens when possible
- Document secret requirements
Secret Rotation
Automated Rotation with AWS
1import boto3
2import json
3
4def lambda_handler(event, context):
5 client = boto3.client('secretsmanager')
6
7 # Get current secret
8 response = client.get_secret_value(SecretId='my-secret')
9 current_secret = json.loads(response['SecretString'])
10
11 # Generate new password
12 new_password = generate_strong_password()
13
14 # Update database password
15 update_database_password(new_password)
16
17 # Update secret
18 client.put_secret_value(
19 SecretId='my-secret',
20 SecretString=json.dumps({
21 'username': current_secret['username'],
22 'password': new_password
23 })
24 )
25
26 return {'statusCode': 200}
Manual Rotation Process
- Generate new secret
- Update secret in secret store
- Update applications to use new secret
- Verify functionality
- Revoke old secret
External Secrets Operator
Kubernetes Integration
1apiVersion: external-secrets.io/v1beta1
2kind: SecretStore
3metadata:
4 name: vault-backend
5 namespace: production
6spec:
7 provider:
8 vault:
9 server: "https://vault.example.com:8200"
10 path: "secret"
11 version: "v2"
12 auth:
13 kubernetes:
14 mountPath: "kubernetes"
15 role: "production"
16
17---
18apiVersion: external-secrets.io/v1beta1
19kind: ExternalSecret
20metadata:
21 name: database-credentials
22 namespace: production
23spec:
24 refreshInterval: 1h
25 secretStoreRef:
26 name: vault-backend
27 kind: SecretStore
28 target:
29 name: database-credentials
30 creationPolicy: Owner
31 data:
32 - secretKey: username
33 remoteRef:
34 key: database/config
35 property: username
36 - secretKey: password
37 remoteRef:
38 key: database/config
39 property: password
Secret Scanning
Pre-commit Hook
1#!/bin/bash
2# .git/hooks/pre-commit
3
4# Check for secrets with TruffleHog
5docker run --rm -v "$(pwd):/repo" \
6 trufflesecurity/trufflehog:latest \
7 filesystem --directory=/repo
8
9if [ $? -ne 0 ]; then
10 echo "❌ Secret detected! Commit blocked."
11 exit 1
12fi
CI/CD Secret Scanning
1secret-scan:
2 stage: security
3 image: trufflesecurity/trufflehog:latest
4 script:
5 - trufflehog filesystem .
6 allow_failure: false
Reference Files
references/vault-setup.md- HashiCorp Vault configurationreferences/github-secrets.md- GitHub Secrets best practices
Related Skills
github-actions-templates- For GitHub Actions integrationgitlab-ci-patterns- For GitLab CI integrationdeployment-pipeline-design- For pipeline architecture
What Users Are Saying
Real feedback from the community
Environment Matrix
Dependencies
HashiCorp Vault (optional)
AWS CLI (for AWS Secrets Manager)
kubectl (for Kubernetes integration)
Docker (for containerized workflows)
Framework Support
GitHub Actions ✓ (recommended)
GitLab CI/CD ✓
Kubernetes External Secrets Operator ✓
Terraform ✓
AWS CloudFormation ✓
Context Window
Token Usage
~3K-8K tokens for complete pipeline configurations
Security & Privacy
Information
- Author
- wshobson
- Updated
- 2026-01-30
- Category
- productivity-tools
Related Skills
Secrets Management
Implement secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, or native …
View Details →Deployment Pipeline Design
Design multi-stage CI/CD pipelines with approval gates, security checks, and deployment …
View Details →Deployment Pipeline Design
Design multi-stage CI/CD pipelines with approval gates, security checks, and deployment …
View Details →