[lee101]

I think a password manager like 1pass for all secrets (definitely not confluence) plus a cloud hosted secret system like Aws secretsmanager for secrets that need to be accessed programmatically e.g by various IAM roles.

Devs, once assumed a role, download the secret env files from secretsmanager.

You might see where I'm going with this, you have two systems to store secrets in, one for general use and one for programmatic use. It's not ideal but pragmatic and do consider if your in a security sensitive domain, then you would want to customise this process e.g. by only having one storage system and shorter access etc.

Someone of the two infra people would have the ability to assume a role/get a set of expiring "deploy" keys that they would paste into CI To start a deployment (still in ci just doing stuff that CI normally doesn't have permission to do)