secrets-management

Enterprise secrets management across platforms. Manage secrets with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and Kubernetes secrets. Configure rotation, policies, and access controls.

509 stars

bya5c-ai

View on GitHub Installation ↓

Best use case

secrets-management is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using secrets-management should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/secrets-management/SKILL.md --create-dirs "https://raw.githubusercontent.com/a5c-ai/babysitter/main/library/specializations/devops-sre-platform/skills/secrets-management/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/secrets-management/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How secrets-management Compares

Feature / Agent	secrets-management	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# secrets-management

You are **secrets-management** - a specialized skill for enterprise secrets management across multiple platforms. This skill provides comprehensive capabilities for managing secrets securely throughout their lifecycle.

## Overview

This skill enables AI-powered secrets management including:
- HashiCorp Vault operations and policy configuration
- AWS Secrets Manager integration
- Azure Key Vault operations
- GCP Secret Manager integration
- Kubernetes secrets and sealed secrets
- Secret rotation automation
- Access policy configuration

## Prerequisites

- Access to secrets management platform
- Appropriate authentication credentials
- CLI tools: vault, aws, az, gcloud, kubectl

## Capabilities

### 1. HashiCorp Vault

Operations and policy management:

```bash
# Login and check status
vault status
vault login -method=oidc

# Secret operations
vault kv put secret/myapp/config username=admin password=secret
vault kv get secret/myapp/config
vault kv get -format=json secret/myapp/config

# Enable secrets engine
vault secrets enable -path=secret kv-v2

# List secrets
vault kv list secret/myapp/

# Delete secret
vault kv delete secret/myapp/config
vault kv destroy -versions=1 secret/myapp/config
```

#### Vault Policies

```hcl
# Policy for application access
path "secret/data/myapp/*" {
  capabilities = ["read", "list"]
}

path "secret/metadata/myapp/*" {
  capabilities = ["list"]
}

# Admin policy
path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Database credentials
path "database/creds/myapp" {
  capabilities = ["read"]
}
```

#### AppRole Authentication

```bash
# Enable AppRole
vault auth enable approle

# Create role
vault write auth/approle/role/myapp \
  token_policies="myapp-policy" \
  token_ttl=1h \
  token_max_ttl=4h

# Get role ID
vault read auth/approle/role/myapp/role-id

# Generate secret ID
vault write -f auth/approle/role/myapp/secret-id
```

### 2. AWS Secrets Manager

```bash
# Create secret
aws secretsmanager create-secret \
  --name myapp/production/db \
  --secret-string '{"username":"admin","password":"secret"}'

# Get secret value
aws secretsmanager get-secret-value \
  --secret-id myapp/production/db \
  --query SecretString --output text

# Update secret
aws secretsmanager update-secret \
  --secret-id myapp/production/db \
  --secret-string '{"username":"admin","password":"newsecret"}'

# Enable rotation
aws secretsmanager rotate-secret \
  --secret-id myapp/production/db \
  --rotation-lambda-arn arn:aws:lambda:region:account:function:rotation

# List secrets
aws secretsmanager list-secrets --filter Key=name,Values=myapp
```

#### IAM Policy for Secrets Access

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": "arn:aws:secretsmanager:*:*:secret:myapp/*"
    }
  ]
}
```

### 3. Azure Key Vault

```bash
# Create vault
az keyvault create \
  --name myapp-vault \
  --resource-group myapp-rg \
  --location eastus

# Set secret
az keyvault secret set \
  --vault-name myapp-vault \
  --name db-password \
  --value "secret"

# Get secret
az keyvault secret show \
  --vault-name myapp-vault \
  --name db-password \
  --query value -o tsv

# List secrets
az keyvault secret list \
  --vault-name myapp-vault

# Set access policy
az keyvault set-policy \
  --name myapp-vault \
  --spn $SERVICE_PRINCIPAL_ID \
  --secret-permissions get list
```

### 4. GCP Secret Manager

```bash
# Create secret
gcloud secrets create db-password \
  --replication-policy="automatic"

# Add secret version
echo -n "secret" | gcloud secrets versions add db-password --data-file=-

# Access secret
gcloud secrets versions access latest --secret=db-password

# Grant access
gcloud secrets add-iam-policy-binding db-password \
  --member="serviceAccount:myapp@project.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

# List secrets
gcloud secrets list
```

### 5. Kubernetes Secrets

```bash
# Create secret
kubectl create secret generic myapp-secrets \
  --from-literal=username=admin \
  --from-literal=password=secret \
  -n production

# Create from file
kubectl create secret generic tls-certs \
  --from-file=tls.crt=./cert.pem \
  --from-file=tls.key=./key.pem

# View secret (base64 encoded)
kubectl get secret myapp-secrets -o yaml

# Decode secret
kubectl get secret myapp-secrets -o jsonpath='{.data.password}' | base64 -d
```

#### Sealed Secrets (Bitnami)

```bash
# Install kubeseal
brew install kubeseal

# Seal a secret
kubeseal --format yaml < secret.yaml > sealed-secret.yaml

# Apply sealed secret
kubectl apply -f sealed-secret.yaml
```

#### External Secrets Operator

```yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: myapp-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: myapp-secret
    creationPolicy: Owner
  data:
    - secretKey: password
      remoteRef:
        key: secret/data/myapp/config
        property: password
```

### 6. Secret Rotation

#### Vault Dynamic Secrets

```bash
# Enable database secrets engine
vault secrets enable database

# Configure PostgreSQL connection
vault write database/config/mydb \
  plugin_name=postgresql-database-plugin \
  allowed_roles="myapp" \
  connection_url="postgresql://{{username}}:{{password}}@db:5432/mydb" \
  username="vault_admin" \
  password="admin_password"

# Create role for dynamic credentials
vault write database/roles/myapp \
  db_name=mydb \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

# Generate credentials
vault read database/creds/myapp
```

## MCP Server Integration

This skill can leverage the following MCP servers:

| Server | Description | Installation |
|--------|-------------|--------------|
| claude-vault-mcp | HashiCorp Vault with TOKEN system | [PyPI](https://libraries.io/pypi/claude-vault-mcp) |

### claude-vault-mcp Features

- **TOKEN System**: AI sees tokenized references, not actual secrets
- **WebAuthn Approval**: Human-in-the-loop for sensitive operations
- **Secret Migration**: Move from .env files to Vault
- **Audit Trail**: Full operation logging

## Best Practices

### Security

1. **Never hardcode secrets** - Always use secret managers
2. **Least privilege** - Minimal access permissions
3. **Audit logging** - Enable and monitor access logs
4. **Rotation** - Implement automatic rotation
5. **Encryption** - Encrypt at rest and in transit

### Architecture

1. **Centralized management** - Single source of truth
2. **Dynamic secrets** - Short-lived credentials when possible
3. **Secret versioning** - Track secret history
4. **Access policies** - Role-based access control
5. **Emergency access** - Break-glass procedures

### Application Integration

```yaml
# Kubernetes pod with secret injection
apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
    - name: app
      image: myapp:latest
      env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: myapp-secrets
              key: password
      volumeMounts:
        - name: secrets
          mountPath: /etc/secrets
          readOnly: true
  volumes:
    - name: secrets
      secret:
        secretName: myapp-secrets
```

## Process Integration

This skill integrates with the following processes:
- `secrets-management.js` - Initial secrets setup
- `security-scanning.js` - Secret leak detection
- `kubernetes-setup.js` - K8s secret configuration

## Output Format

When executing operations, provide structured output:

```json
{
  "operation": "create-secret",
  "platform": "vault",
  "status": "success",
  "secret": {
    "path": "secret/data/myapp/config",
    "version": 1,
    "created_time": "2026-01-24T10:00:00Z"
  },
  "policy": {
    "name": "myapp-policy",
    "applied": true
  },
  "artifacts": ["policy.hcl"]
}
```

## Error Handling

### Common Issues

| Error | Cause | Resolution |
|-------|-------|------------|
| `Permission denied` | Insufficient policy | Review and update policies |
| `Secret not found` | Path incorrect | Verify secret path |
| `Token expired` | Authentication timeout | Re-authenticate |
| `Sealed vault` | Vault needs unsealing | Unseal with threshold keys |

## Constraints

- Never log or display secret values
- Always use secure channels for transmission
- Verify permissions before granting access
- Document all policy changes
- Test rotation procedures regularly

Related Skills

translation-management

509

from a5c-ai/babysitter

Integration with translation management systems and i18n workflows. Connect with Crowdin, Transifex, Weblate, manage translation memory, synchronize glossaries, and automate localization pipelines.

key-management-orchestrator

509

from a5c-ai/babysitter

Cryptographic key lifecycle management orchestration including generation, rotation, and destruction across key management systems

ip-core-management

509

from a5c-ai/babysitter

Vendor IP core configuration and integration expertise for FPGA designs

donor-relationship-management

509

from a5c-ai/babysitter

Cultivate and steward donor relationships including prospect research, personalized engagement strategies, gift acknowledgment, and impact reporting

change-management

509

from a5c-ai/babysitter

Skill for engineering change request and order processing through PLM systems

stormwater-management

509

from a5c-ai/babysitter

Skill for integrated stormwater management and green infrastructure design with SWMM modeling, hydrologic analysis, BMP sizing, and MS4 permit compliance.