[pondidum]

What about secrets?

I like to do short lived credentials using Vault (e.g. vault can create say db access credentials dynamically), but for things like API keys where I can't do that..? Is the Vault KV store the source of truth?

[adra]

At least in cloud providers, they have secret vaults accessible to their customers. The individual secrets are stored in source code but they're encrypted. We've used SOPS as a valuable way to manage these secrets. You can certainly stand up your own secretserver or equiv but may not have all the same.integratuon bells and whistles.

[rexarex]

We utilize version control for config/secret management as well…encrypted of course.

Edit: now that I think of it, for generated short lived passwords we also use SSM but for anything set by a human it’s in version control…

[lr4444lr]

Config that should be pushed into the env: it's not code or assets.