Marketplace
secrets-management
Use when designing secret storage, rotation, or credential management systems. Covers HashiCorp Vault patterns, AWS Secrets Manager, Azure Key Vault, secret rotation, and zero-knowledge architectures.
allowed_tools: Read, Glob, Grep
$ Instalar
git clone https://github.com/melodic-software/claude-code-plugins /tmp/claude-code-plugins && cp -r /tmp/claude-code-plugins/plugins/systems-design/skills/secrets-management ~/.claude/skills/claude-code-plugins// tip: Run this command in your terminal to install the skill
SKILL.md
name: secrets-management description: Use when designing secret storage, rotation, or credential management systems. Covers HashiCorp Vault patterns, AWS Secrets Manager, Azure Key Vault, secret rotation, and zero-knowledge architectures. allowed-tools: Read, Glob, Grep
Secrets Management
Comprehensive guide to managing secrets, credentials, and sensitive configuration - from storage to rotation to access control.
When to Use This Skill
- Designing secret storage architecture
- Implementing secret rotation
- Integrating applications with secret stores
- Managing API keys, passwords, certificates
- Understanding Vault, AWS Secrets Manager, Azure Key Vault
- Zero-knowledge and envelope encryption patterns
Secrets Management Fundamentals
What Are Secrets?
Types of Secrets:
Credentials:
โโโ Database passwords
โโโ API keys
โโโ OAuth client secrets
โโโ SSH private keys
โโโ Service account tokens
Certificates:
โโโ TLS certificates and private keys
โโโ Code signing certificates
โโโ Client certificates
โโโ CA certificates
Encryption Keys:
โโโ Data encryption keys (DEK)
โโโ Key encryption keys (KEK)
โโโ HMAC keys
โโโ Signing keys
Sensitive Configuration:
โโโ Connection strings
โโโ License keys
โโโ Webhook URLs with tokens
โโโ Third-party credentials
Secrets Lifecycle
Secret Lifecycle:
1. Generation
โโโ Create with sufficient entropy
โโโ Use cryptographic randomness
โโโ Appropriate key length
2. Storage
โโโ Encrypt at rest
โโโ Access control
โโโ Audit logging
3. Distribution
โโโ Secure transport (TLS)
โโโ Just-in-time access
โโโ Minimize copies
4. Usage
โโโ Memory protection
โโโ Minimize exposure window
โโโ Clear after use
5. Rotation
โโโ Regular schedule
โโโ Zero-downtime rotation
โโโ Update all consumers
6. Revocation
โโโ Immediate effect
โโโ Propagate to all systems
โโโ Audit trail
7. Destruction
โโโ Secure deletion
โโโ Verify removal
โโโ Clear backups
Architecture Patterns
Centralized Secret Store
Centralized Architecture:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Secret Store โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โข Encrypted storage โ โ
โ โ โข Access control โ โ
โ โ โข Audit logging โ โ
โ โ โข Rotation management โ โ
โ โ โข High availability โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโ
โ โ โ
โโโโโโผโโโโโ โโโโโโผโโโโโ โโโโโโผโโโโโ
โ App A โ โ App B โ โ App C โ
โ โ โ โ โ โ
โFetches โ โFetches โ โFetches โ
โsecrets โ โsecrets โ โsecrets โ
โon start โ โon demandโ โcached โ
โโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโ
Benefits:
+ Single source of truth
+ Centralized audit
+ Consistent policies
+ Easier rotation
Challenges:
- Single point of failure
- Network dependency
- Latency for secret access
Envelope Encryption
Envelope Encryption:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Key Hierarchy โ
โ โ
โ โโโโโโโโโโโโโโโ โ
โ โ Master Key โ (Never leaves KMS) โ
โ โ (KEK) โ โ
โ โโโโโโโโฌโโโโโโโ โ
โ โ Encrypts โ
โ โผ โ
โ โโโโโโโโโโโโโโโ โ
โ โ Data Key โ (Wrapped/encrypted) โ
โ โ (DEK) โ โ
โ โโโโโโโโฌโโโโโโโ โ
โ โ Encrypts โ
โ โผ โ
โ โโโโโโโโโโโโโโโ โ
โ โ Data โ (Your secrets/data) โ
โ โ โ โ
โ โโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Flow:
1. Generate DEK locally
2. Encrypt data with DEK
3. Send DEK to KMS for wrapping with KEK
4. Store: encrypted data + wrapped DEK
5. To decrypt: unwrap DEK with KMS, decrypt data
Benefits:
- Master key never exposed
- Can rotate DEK without re-encrypting all data
- Distributed encryption (KMS not a bottleneck)
Zero-Knowledge Architecture
Zero-Knowledge Secret Access:
โโโโโโโโโโโโโโโโ
โ Client โ
โ โ
โ Has: secret โ
โ key derived โ
โ from passwordโ
โโโโโโโโฌโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโ
โ Server โ
โ โ
โ Stores: encrypted secrets โ
โ Cannot decrypt (doesn't have key) โ
โ โ
โ User's secrets = Encrypt(data, userDerivedKey)โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Properties:
- Server cannot read secrets even if compromised
- User password never transmitted
- Key derived client-side using KDF
- Server only sees encrypted blobs
Trade-offs:
+ Maximum privacy
+ Server breach doesn't expose secrets
- Can't recover if user forgets password
- Can't audit what's stored
- Server can't validate secrets
HashiCorp Vault
Vault Architecture
Vault Components:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Vault โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ API Layer โ โ
โ โ (HTTP/HTTPS interface for all operations) โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Auth Methods โ โ
โ โ Token โ OIDC โ LDAP โ K8s โ AWS โ Azure โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Secrets Engines โ โ
โ โ KV โ Database โ PKI โ Transit โ AWS โ SSH โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Storage Backend โ โ
โ โ Consul โ Raft โ S3 โ DynamoDB โ etcd โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Vault Secrets Engines
Common Secrets Engines:
1. KV (Key-Value)
- Static secrets storage
- Versioning support
- Simplest engine
2. Database
- Dynamic database credentials
- Auto-rotation
- Short-lived credentials
vault write database/roles/my-role \
db_name=my-database \
creation_statements="CREATE USER..." \
default_ttl="1h" \
max_ttl="24h"
3. PKI
- Certificate authority
- Issue short-lived certificates
- Auto-renewal
4. Transit
- Encryption as a service
- Key management
- Sign/verify operations
5. AWS/Azure/GCP
- Dynamic cloud credentials
- IAM role assumption
- Temporary access
Vault Authentication
Auth Method Selection:
Kubernetes:
- Best for: Pods in Kubernetes
- Identity: Service account token
- Config: Bound namespace/SA
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes:443" \
kubernetes_ca_cert=@ca.crt
AppRole:
- Best for: CI/CD, applications
- Identity: Role ID + Secret ID
- Config: Bound CIDR, metadata
vault auth enable approle
vault write auth/approle/role/my-app \
token_ttl=1h \
token_max_ttl=4h \
secret_id_num_uses=1
OIDC:
- Best for: Human users
- Identity: JWT from IdP
- Config: OIDC provider connection
Cloud Secret Managers
AWS Secrets Manager
AWS Secrets Manager Features:
Capabilities:
โโโ Automatic rotation (Lambda-based)
โโโ Cross-region replication
โโโ IAM integration
โโโ CloudTrail auditing
โโโ Resource policies
Rotation Flow:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. createSecret - Create new secret version โ
โ 2. setSecret - Update resource (RDS, etc) โ
โ 3. testSecret - Verify new secret works โ
โ 4. finishSecret - Mark rotation complete โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Access Pattern:
aws secretsmanager get-secret-value \
--secret-id my-secret \
--version-stage AWSCURRENT
SDK Integration:
client = boto3.client('secretsmanager')
response = client.get_secret_value(SecretId='my-secret')
secret = json.loads(response['SecretString'])
Azure Key Vault
Azure Key Vault Features:
Object Types:
โโโ Secrets - Generic key/value
โโโ Keys - Cryptographic keys (HSM-backed)
โโโ Certificates - X.509 certificates
Access Control:
- RBAC (recommended)
- Access policies (legacy)
- Managed identities for Azure resources
Soft Delete + Purge Protection:
- Deleted secrets retained for recovery period
- Purge protection prevents permanent deletion
- Required for compliance scenarios
Integration:
// .NET example with DefaultAzureCredential
var client = new SecretClient(
new Uri("https://my-vault.vault.azure.net/"),
new DefaultAzureCredential());
KeyVaultSecret secret = await client.GetSecretAsync("my-secret");
GCP Secret Manager
GCP Secret Manager Features:
Capabilities:
โโโ Automatic replication (regional/global)
โโโ IAM integration
โโโ Audit logging
โโโ Secret versioning
โโโ Expiration support
Access Control:
- roles/secretmanager.secretAccessor
- roles/secretmanager.admin
- IAM conditions for fine-grained access
Workload Identity:
- GKE pods use service accounts
- No credential files needed
- Automatic token refresh
Access Pattern:
gcloud secrets versions access latest --secret=my-secret
# Python
from google.cloud import secretmanager
client = secretmanager.SecretManagerServiceClient()
response = client.access_secret_version(name=secret_version_name)
secret = response.payload.data.decode('UTF-8')
Secret Rotation
Zero-Downtime Rotation
Dual-Version Strategy:
Phase 1: Create New Version
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Secret Store โ
โ โโโ Version 1 (current) โ โ
โ โโโ Version 2 (pending) NEW โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Phase 2: Update Consumers
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Apps accept: Version 1 OR 2 โ
โ Resource updated to Version 2 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Phase 3: Verify New Version
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Test connections with Version 2 โ
โ Monitor for errors โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Phase 4: Deprecate Old Version
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Secret Store โ
โ โโโ Version 1 (deprecated) โ
โ โโโ Version 2 (current) โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Phase 5: Remove Old Version
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Secret Store โ
โ โโโ Version 2 (current) โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Database Credential Rotation
Database Rotation Pattern:
Approach 1: Dual Users
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Database has TWO users for the app: โ
โ - app_user_a (current) โ
โ - app_user_b (standby) โ
โ โ
โ Rotation: โ
โ 1. Generate new password for app_user_b โ
โ 2. Update secret to point to app_user_b โ
โ 3. Apps pick up new credentials โ
โ 4. Change app_user_a password (now standby) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Approach 2: Dynamic Credentials (Vault)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Each credential request creates new user: โ
โ - v-app-abc123-ttl-1h (expires in 1 hour) โ
โ โ
โ Benefits: โ
โ - No rotation needed โ
โ - Automatic cleanup โ
โ - Per-request credentials โ
โ โ
โ Vault handles: โ
โ - Creating users โ
โ - Setting expiration โ
โ - Revoking expired credentials โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Application Integration
Sidecar Pattern
Sidecar Secret Injection:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Pod โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Vault Agent โ โ App โ โ
โ โ (Sidecar) โ โ โ โ
โ โ โ โ โ โ
โ โ - Authenticatesโ โ Reads secrets from โ โ
โ โ - Fetches โโโโบ /vault/secrets/ โ โ
โ โ - Renders โ โ (shared volume) โ โ
โ โ - Refreshes โ โ โ โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ โ
โ โผ โ โ
โ [Shared Volume]โโโโโโโโโโโโโโ โ
โ /vault/secrets/ โ
โ โโโ db-password โ
โ โโโ api-key โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CSI Driver Pattern
Secrets Store CSI Driver:
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
volumeMounts:
- name: secrets
mountPath: "/mnt/secrets"
readOnly: true
volumes:
- name: secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-database"
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vault-database
spec:
provider: vault
parameters:
vaultAddress: "https://vault:8200"
roleName: "db-role"
objects: |
- objectName: "db-password"
secretPath: "secret/data/db"
secretKey: "password"
Best Practices
Security Best Practices:
1. Never Store Secrets In:
โ Source code
โ Environment variables (visible in logs)
โ Container images
โ Kubernetes ConfigMaps
โ Plain text files
2. Access Control:
โก Least privilege access
โก Service-specific credentials
โก Time-limited access where possible
โก Regular access reviews
3. Audit and Monitoring:
โก Log all secret access
โก Alert on unusual patterns
โก Regular audit reviews
โก Compliance reporting
4. Rotation:
โก Automate all rotations
โก Short credential lifetimes
โก Test rotation procedures
โก Document emergency rotation
5. High Availability:
โก Secret store must be HA
โก Cache secrets for availability
โก Graceful degradation plan
โก Recovery procedures documented
Related Skills
zero-trust-architecture- Overall security architectureapi-security- API authentication and authorizationmtls-service-mesh- Certificate management for servicescontainer-orchestration- Kubernetes secrets integration
Repository
melodic-software
Author
melodic-software/claude-code-plugins/plugins/systems-design/skills/secrets-management
3
Stars
0
Forks
Updated3d ago
Added1w ago