[cartofupai]

“Even if exposed or leaked, it is one secret to rotate rather than all of your secrets, scattered across all of your services and their environment variables.”

I don’t think this is true. You’d rotate all secrets in the store, as they could be accessed/compromised.

[Groxx]

You'd hopefully have access records to show which ones were accessed... but yea, all accessed secrets need to be rotated, not just the gateway-secret. And without that kind of record you need to assume "all".

[neilk]

That’s what 1Password means, right? If your credentials to 1Password leaks all you have to do is change that one password. Problem solved! /s