Summary/tldr;

Proper secrets management should be a primary concern for development teams. It secures against one of the more common and dangerous weaknesses facing teams (stolen credentials) and also decreases ongoing maintenance and development costs. There are two main steps that teams can take to overhaul their secrets management approach:

  1. Integrate with systems like AKeyless to give us high (or complete) coverage with temporary credentials
  2. Configure applications to fetch secrets out of the secret manager directly (rather than pulling them out of the environment)

AKeyless in particular can save teams substantial time because with it we can automatically deploy a fully baked access management system right along side our code and infrastructure. This allows us to easily grant infrastructure and developers access to the systems they need without having to manually generate credentials, hand them out, or worry about changing them when people leave.

We’ve also seen the benefits of directly integrating applications with a secret manager, rather than pulling secrets out of the environment:

  1. It allows applications to automatically bootstrap themselves (which streamlines the onboarding process for new developers)
  2. It allows us to move secrets out of both .env files and the environment, mitigating an entire category of weaknesses
  3. It trades out secrets-in-the-environment for secret-references-in-the-environment, which are safer to pass around and change much less frequently.
  4. It allows us to automatically re-load access credentials, which can automate the process of re-deploying static secrets in those cases where you have to use them.

Finally, we’ve seen how Akeyless is the critical player in making this happen, as it has a variety of integration options for both sides of the access management problem:

  1. Grant anyone, from any system, access to Akeyless without storing static access credentials.
  2. Once in Akeyless, grant access to external systems via temporary credentials that are only issued when needed and which automatically expire.
Previous
Other Systems
Next
Appendix - Alternatives