The single most common production breach is a leaked secret. The secrets management space has matured; in 2026 you have no excuse to ship .env files to a server.
The principles
- Secrets never in Git — even encrypted, prefer external sources.
- Secrets pulled at runtime — not baked into images.
- Per-environment secrets — dev, staging, prod isolated.
- Auditable access — who read what, when.
- Rotatable — without code changes.
- Least privilege — services see only what they need.
Tools
| Strengths | |
|---|---|
| AWS Secrets Manager / Parameter Store | AWS-native, integrated IAM |
| GCP Secret Manager | GCP-native |
| Azure Key Vault | Azure-native |
| HashiCorp Vault | Multi-cloud, dynamic secrets, advanced |
| External Secrets Operator | Bridges any of the above into K8s |
| Sealed Secrets | Encrypted secrets in Git (smaller setups) |
| SOPS | File-level encryption (great for IaC) |
For 2026 Kubernetes shops: cloud-native manager + External Secrets Operator is the path of least resistance.
External Secrets Operator pattern
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata: { name: aws-secrets, namespace: api }
spec:
provider:
aws:
service: SecretsManager
region: ap-south-1
auth:
jwt:
serviceAccountRef: { name: external-secrets-sa }
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata: { name: api-secrets, namespace: api }
spec:
refreshInterval: 1h
secretStoreRef: { name: aws-secrets, kind: SecretStore }
target: { name: api-secrets }
data:
- secretKey: DATABASE_URL
remoteRef: { key: prod/api/database_url }
- secretKey: STRIPE_KEY
remoteRef: { key: prod/api/stripe_key }
ESO syncs the secrets from AWS Secrets Manager into a Kubernetes Secret. Your Deployment mounts it. App code reads env vars normally.
Rotate in AWS → ESO refreshes → pods see new value (with restart for env vars; with reload for file mounts).
Vault for advanced cases
vault kv put secret/api stripe_key=sk_live_...
vault read secret/api
Vault adds:
- Dynamic secrets: short-lived DB credentials issued on demand.
- Policy language for fine-grained access.
- Audit log: every secret read.
- PKI: issue certificates.
- Transit encryption: encrypt-as-a-service.
Run Vault if you have the operations capacity. Cloud-native is simpler if you don’t.
App-level patterns
# settings.py — pull from env, not files in repo
class Settings(BaseSettings):
database_url: PostgresDsn
stripe_key: SecretStr # SecretStr redacts in logs
SecretStr from Pydantic v2
prevents accidental logging.
Rotation
For each secret, define:
- Rotation cadence (90 days for high-value).
- Process (new version → ESO sync → rolling deploy).
- Owner.
Static keys that haven’t rotated in years are debt.
Detecting leaks
- gitleaks / trufflehog in pre-commit and CI.
- GitHub secret scanning for known patterns (Stripe, AWS, etc.).
- Per-cloud anomaly detection (AWS GuardDuty flags exfiltrated keys).
A secret in a public repo is hours from being abused. Detection + rotation is the only response.
For supply chain security see Software Supply Chain Security .
Common mistakes
1. .env files in Git
Even if you .gitignore later, history retains them. Rewrite history; rotate everything.
2. Single shared admin key
The “production AWS key” 12 people use. Lose access trail; can’t rotate without disruption.
3. Long-lived tokens
A token created once that never rotates. Grants access forever. Use short-lived tokens (OIDC, IAM roles for service accounts).
4. No audit log
You can’t tell who read what. Required for compliance; useful for incident response.
5. Logging secret values
SecretStr and similar redact. Don’t bypass them.
What I’d ship today
For a 2026 Kubernetes shop on AWS:
- AWS Secrets Manager as the source of truth.
- ESO syncs to Kubernetes secrets.
- IAM Roles for Service Accounts so pods authenticate as themselves.
- gitleaks in CI.
- 90-day rotation policy.
- Audit log review quarterly.
Less than a week to set up. Saves you from being a postmortem.
Read this next
- Software Supply Chain Security
- Authentication in 2026
- Platform Engineering and IDPs
- Cilium and eBPF in Production
If you want an ESO + AWS Secrets Manager + IRSA Helm chart, it’s at rajpoot.dev .
Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .