bash 8 lines · 1 tab

Secrets management with environment isolation and Vault

Kai Nakamura Apr 2026
1 tab
#!/usr/bin/env bash
set -euo pipefail

export VAULT_ADDR="https://vault.internal:8200"
export VAULT_TOKEN="${VAULT_TOKEN:?missing VAULT_TOKEN}"

DB_PASSWORD=$(vault kv get -field=password secret/production/database)
export DATABASE_URL="postgres://app:${DB_PASSWORD}@db.internal/app_production"
1 file · bash Explain with highlit

The rule is simple: secrets should not live in source control, logs, or chat transcripts. I keep local development ergonomic with env files that never leave the machine, and I use a real secret manager in shared environments. Retrieval should be audited and rotation should be possible without rewriting the app.

Share this code

Here's the card — post it anywhere.

Secrets management with environment isolation and Vault — share card
Link copied