A secrets manager (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) centrally stores credentials, keys, and tokens with encryption, access control, audit logging, and rotation. Apps fetch secrets at runtime instead of baking them into code or images.

The properties that matter:

• Encryption at rest and in transit
• Fine-grained access (which identity can read which secret) + audit trail
• Rotation — change secrets regularly, ideally automatically
• Dynamic secrets — generate short-lived, on-demand credentials (Vault’s signature feature) so there’s no long-lived secret to steal

# Read a secret at runtime (Vault)
export DB_PASS="$(vault kv get -field=password secret/app/db)"

# AWS Secrets Manager
aws secretsmanager get-secret-value --secret-id prod/db --query SecretString

# Dynamic secret: Vault issues a short-lived DB credential on demand
vault read database/creds/app-role   # username/password valid for 1h

1. List four properties a good secrets manager provides.
2. Explain dynamic secrets and why they’re more secure than static ones.
3. Describe the correct response to a secret accidentally committed to git.
4. How should an app obtain a database password at runtime?

• ↗ HashiCorp Vault — documentation