Use Vault for secret management
We manage secrets with project level and group level secret variables (environment variables) as well as service keys. There are advantages to using something purpose-built for this, such as Vault. Some advantages would be:
- Automatic key rotation
- Audit logs
This could be a replacement for our existing secret management, but since consuming Vault secrets requires consuming the API, we'll likely still need our generic environment variable mechanism. Perhaps we could add a new thing for Vault, or identify some secret variables as Vault instead of environment variables and handle them differently. Or maybe at a project level, do all-or-none.
Links / references
- Unnamed DoD customer