[GauntletWizard]

You got a bunch of downvotes, but I agree. Properly scoped secrets are scoped per team. There’s a significant management issue - But it scales with scope. Each team should be aware of all the teams it interacts with, both inbound and outbound, and manage their own tokens. Concentrating them all in one place with systems like Vault is pretty dangerous. You should use one tool across your company, but you should use many installations of that one tool.

What Vault can be good at is certificate generation or management of short-lived certificates; Using Vault to generate you temporary AWS credentials or certificates can be really powerful. Carefully scoping those, though, is not something I’ve seen most teams do.

[ccktlmazeltov]

I think most people in this thread work in AWS or GCP and there it doesn't matter really because every thing is a blackbox that magically connects with other blackbox via magical identities.