Secrets Management in the Cloud
Applications need passwords, API keys and certificates to talk to databases and other services. These ‘secrets’ are highly sensitive, and storing them carelessly — in code or config files — is a common and serious security mistake.
This article explains how secrets should be handled in the cloud.
The Wrong Way
Hard-coding a password into the application or checking it into a code repository means anyone with access to the code has the keys to your systems. Such secrets are easily leaked and very hard to rotate.
The Right Way
- Store secrets in a dedicated secrets manager, encrypted at rest.
- Grant applications access only to the secrets they need.
- Rotate secrets regularly and automatically.
- Keep an audit trail of who accessed what and when.
How We Implement It
Every major cloud provides a managed secrets service. We use these so that secrets never live in code, can be rotated without redeploying, and are fully audited.
Frequently Asked Questions
What happens if a secret leaks?
With a proper secrets manager we can rotate it immediately and see what accessed it, limiting the damage.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.