[FrozenCow]

Most services are connected through SSO, so those won't have passwords and are automatically shut down when the user leaves the company.

All employees also have a 1password account for which we can store individual passwords for the services that are not connected through SSO.

For some services we only have a single token/service account which we need to share within the team. Often they were stored in a `.env` file, but that tend to be a burden for onboarding and quite a bit of maintenance for each individual.

Within my current team we share them using direnv and https://github.com/tmatilai/direnv-1password. Secrets are loaded as environment variables whenever the dev enters the projects directory. They are loaded from 1password which is unlocked using fingerprint scanner. This way the secrets are not actually stored on disk.

People leaving the team does still require manual password rotation, but at least not everyone in the team needs to update their `.env` file this way.

[tmnvix]

Thanks for this comment. I currently use direnv with great success for managing virtual environments (mostly various language versions, dependencies, and environment variables). I'll look into this approach of pulling in credentials for those environments from a password store.

I think direnv is a highly underrated tool. Switching between environments with a simple 'cd' is of huge benefit to my development experience.