Secrets management with environment isolation and Vault

14514 views

                  #!/usr/bin/env bash
set -euo pipefail

export VAULT_ADDR="https://vault.internal:8200"
export VAULT_TOKEN="${VAULT_TOKEN:?missing VAULT_TOKEN}"

DB_PASSWORD=$(vault kv get -field=password secret/production/database)
export DATABASE_URL="postgres://app:${DB_PASSWORD}@db.internal/app_production"

The rule is simple: secrets should not live in source control, logs, or chat transcripts. I keep local development ergonomic with env files that never leave the machine, and I use a real secret manager in shared environments. Retrieval should be audited and rotation should be possible without rewriting the app.

Kai Nakamura

More from Kai Nakamura

Secrets management with environment isolation and Vault

0 Comments

More from Kai Nakamura