Cloud secrets management is the practice of securely storing, accessing, rotating, and auditing sensitive credentials — API keys, database passwords, TLS certificates, and tokens — used by applications and services in cloud environments. Without a dedicated secrets manager, credentials end up hardcoded in source code or environment variables, creating a persistent exposure risk; GitGuardian's 2026 State of Secrets Sprawl report found 28.65 million hardcoded secrets on public GitHub repositories in 2025 alone, a 34% year-over-year increase. The core mental model is centralize and federate: store every secret in one authoritative vault, then grant workloads short-lived, scoped access at runtime using identity (OIDC, SPIFFE, IAM roles) rather than distributing long-lived credentials that must be manually rotated.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 121 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Secrets Management Platform Comparison
Choosing the right platform depends on where your workloads run, whether you need self-hosting, and how much operational overhead you can absorb. Cloud-native options (AWS, Azure, GCP) minimize infrastructure burden but lock you to a vendor; HashiCorp Vault and open-source alternatives give portability at the cost of more setup.
| Platform | Example | Description |
|---|---|---|
aws secretsmanager get-secret-value --secret-id prod/db/pass | • AWS-native secrets store with automatic rotation via Lambda, cross-account access, and native RDS/Redshift/DocumentDB integration • billed per secret + API call | |
vault kv get -field=password secret/db | • Self-hosted or HCP-managed • industry standard for dynamic secrets, multiple auth backends (AWS IAM, OIDC, LDAP), fine-grained policies, and audit logging | |
az keyvault secret show --name db-pass --vault-name my-vault | • Azure-native store for secrets, keys, and certificates • integrates with Managed Identity for keyless access from Azure workloads | |
gcloud secrets versions access latest --secret=db-pass | GCP-native with versioning, automatic replication across regions, IAM bindings per secret, and Workload Identity Federation for cross-cloud access. |