What's sad is that despite it's current state, secret management has still managed to turn into a cargo cult. It's a "best practice" that people blindly implement without thinking.

But secrets are next to useless if they are:

- not used to limit number of people that have access to them (it is quite typical in small teams to give everybody access to production, which essentially gives you access to keys)

- not regularly rotated (at the very least when a person that had access to them leaves the company)

And rotation is hard: a lot of systems still don't support multiple keys, so rotation has to be very carefully tied to some form of blue-green deployment, which is often not possible.

The "better way" for me has been managed identities in Azure. These are Azure Active Directory service principals, which are similar to Group-Managed Service Accounts (gMSA) in Active Directory. They're essentially a platform-managed identity with automatically rotating secrets that the developers never need to know, and sysops don't have to deal with. They can be assigned to VMs or various PaaS services, and then service-to-service access is via standard Azure RBAC, with auditing and everything.

There is nothing to rotate, nothing to put into a "key vault", nothing to worry about leaking out, nothing that could accidentally get pasted into Git, and nothing on that developers' laptop that he left at the airport. You literally say: "I want service A to have read access to service B", and you're done.

Visual Studio automatically injects the developer's personal identity into processes, so that they can access cloud resources during local development, so that's covered too. (For Linux developers, the Azure Identity SDK can pick up the user credentials via the "az" cli.)

"Making fire with stones to avoid a proprietary lighter." -- /user?id=pjmlp

The fact that we don't have a well adopted standard for password management, critically including password rotation and key sharing, by now is both surprising and infuriating.

Are there any widely available, published threat models for secret management of this sort? It seems to me that if you want to frame the discussion in a useful way, you'd start there. Then you can point out where current practice works, where it doesn't, and how your solution works better.

HashiCorp vault is a pretty good answer. It has plugins to auto rotate a number of different connections, works with both static and dynamicly created users, whole host of auditing optinons.

Doppler looks interesting - are there other companies in this space doing good work?