Cloud secrets management is the practice of securely storing, accessing, rotating, and governing sensitive credentials like API keys, passwords, database credentials, and certificates across cloud environments. As organizations adopt multi-cloud architectures and microservices, the number of secrets proliferates exponentially—creating what's known as secret sprawl. Modern secrets managers solve this by centralizing storage with encryption at rest and in transit, automating credential rotation to reduce exposure windows, enforcing least-privilege access through fine-grained policies, and providing comprehensive audit trails for compliance. Understanding the differences between AWS Secrets Manager, Azure Key Vault, Google Secret Manager, and HashiCorp Vault—and when to use dynamic versus static secrets—is critical for building secure, scalable cloud infrastructure.
What This Cheat Sheet Covers
This topic spans 20 focused tables and 118 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Platform Comparison
| Platform | Example | Description |
|---|---|---|
aws secretsmanager get-secret-value --secret-id db/prod/credentials | • Managed service for automatic rotation of RDS, Redshift, and DocumentDB credentials • native IAM integration and envelope encryption with AWS KMS | |
az keyvault secret show --vault-name myVault --name dbPassword | • Centralized vault for secrets, keys, and certificates • supports RBAC and access policies (RBAC recommended as of Feb 2026) • integrates with managed identities | |
gcloud secrets versions access latest --secret="db-password" | • Regional and global secret storage options • publishes rotation notifications to Pub/Sub topics • automatic replication across regions |