Secrets Management for Data Platforms

HashiCorp Vault, AWS Secrets Manager, and patterns for rotating credentials safely.

Updated March 30, 2026 3 views

Never store secrets in code or environment variables

Database passwords, API keys, and certificates in code or .env files get committed to git, appear in CI logs, and cannot be rotated without redeploying. Use a secrets manager.

HashiCorp Vault

Vault centralises secret storage, access control, and auditing. Key features for data platforms:

Dynamic secrets — Vault generates short-lived database credentials on demand. Each job gets its own credentials; they expire when the job ends. Eliminating shared static passwords entirely.
Secret leases — every secret has a TTL. Automatic revocation on expiry.
Audit log — every secret access is logged with identity and timestamp.

AWS Secrets Manager

Simpler than Vault for AWS-native stacks. Stores secrets as JSON, integrates with RDS for automatic password rotation, and has IAM-based access control. Use for teams that do not want to operate Vault.

Rotation pattern

Rotate credentials without downtime: create new credentials → update all consumers → revoke old credentials. Vault's dynamic secrets make this automatic.

Secrets Management for Data Platforms

Never store secrets in code or environment variables

HashiCorp Vault

AWS Secrets Manager

Rotation pattern

Related articles

Data Governance — Principles and Practical Implementation

Graph Databases — When to Use Neo4j Over Relational

Introduction to Data Pipelines

Choosing a vector database: pgvector vs Pinecone vs Weaviate