Skip to content
ROOT
STUB

Secrets Lifecycle

The pattern: secrets need rotation, encryption at rest, encryption in transit, scoped access, audit logs, and a clean revocation story — across the full lifecycle from issuance to expiry. Static secrets in env files lose half of these. Dynamic short-lived secrets (Vault-style, per-request) gain them at the cost of operational complexity.

The trade-off: operational simplicity vs. blast radius on leak. Static long-lived secrets are simple but catastrophic when leaked. Dynamic short-lived secrets minimize leak impact but require infrastructure (Vault, ESO, OIDC issuance, audit pipeline). Most platforms layer the choice: static for low-risk values (config), dynamic for high-risk credentials (DB, cloud APIs). Sealed Secrets is the GitOps-friendly middle ground that keeps the source of truth in the repo without leaking plaintext.

Deepens in Year 2 Phase 12: Platform Engineering — Sealed Secrets + ESO + a real rotation drill on basecamp is the worked example.

  • least-privilege — short-lived credentials are how least-privilege survives contact with rotation reality.
  • defense-in-depth — secrets management is the layer that limits how much a compromised credential is worth.
  • zero-trust-security — workload identity is the upstream pattern that lets services not hold long-lived secrets in the first place.
  • threat-modeling — STRIDE’s Information Disclosure and Spoofing surfaces drive most secrets-lifecycle decisions.
  • gitops — Sealed Secrets and SOPS exist because GitOps demands a way to commit secret material safely.
  • immutable-infrastructure — rebuild-from-scratch is only credible when secrets can be re-issued cleanly.