Secrets Management: Vault vs AWS Secrets Manager (Rotation & CI/CD)
Secrets management for DevOps and CI/CD: how to handle API keys, tokens, certificates, and encryption keys safely—without leaking credentials into Git repos, build logs, or pipelines using tools like Hashicorp Vault. In this episode, we define what “a secret” actually is, walk through the most common failure modes (Git, CI logs, long-lived access keys), and compare practical approaches using HashiCorp Vault and AWS Secrets Manager. We also cover rotation, least privilege, secret scanning, audit logs, and why short-lived credentials are becoming the default in modern platform security. Who this is for: CIO/CTO, Head of Engineering, Platform/SRE leaders: reduce breach risk and incident cost from credential exposure DevOps/Platform engineers: implement secure, scalable secret workflows across teams and tooling Key topics covered: Secrets: API keys, tokens, certs, encryption keys (definitions + examples) Why storing secrets in Git is dangerous (and how it happens) Secrets leaking via CI/CD output and logs Secret rotation and incident response when credentials are compromised Vault vs AWS Secrets Manager (when to choose each) Least privilege and access control to reduce blast radius Secret scanning and audit logging for detection + evidence Short-lived credentials and removing unused secrets to reduce risk Chapters 00:00 Intro 01:05 What counts as a “secret” 02:24 Examples: API keys, tokens, certs 02:27 Encryption keys (why they’re sensitive) 03:29 Secrets management basics 04:22 Why secrets in Git are dangerous 05:51 Secrets leaking via logs & CI/CD output 07:01 Secret rotation: why it matters 07:40 HashiCorp Vault: where it fits 08:23 Environment variables: pros/cons 08:26 AWS Secrets Manager: common patterns 15:23 Least privilege: reducing blast radius 21:12 Secret scanning: finding leaks early 23:20 Access keys (and why they’re risky long-term) 24:04 Compromised secrets: what to do immediately 24:48 Audit logs: proving who accessed what 30:03 CI platforms: GitLab, GitHub Actions, Jenkins 32:57 Short-lived credentials: the modern default 33:06 Remove unused secrets: quiet risk reduction 38:30 Wrap + next steps
Terraform IaC Explained: State, Drift, Modules, Remote State (S3/HCP)
Complete GitHub Actions Course - From BEGINNER to PRO
AWS re:Invent 2025 - Introducing AI driven development lifecycle (AI-DLC) (DVT214)
MLOps Explained - What It Is, Why You Need It and How It Works
Why DevOps transformations fail in regulated industries, with Merge Ready's Matt Bailey
Docker Containers in Plain English: Episode 6
AWS Explained: The Most Important AWS Services To Know
Trump Gets Booed & Falls Asleep During NBA Finals, Claims War is Almost Over & Goodbye Spencer Pratt
Something is jamming GPS over Europe. Here's what we found
Designing Data-intensive Applications with Martin Kleppmann
HashiCorp Vault Explained in 180 seconds
Andrej Karpathy: From Vibe Coding to Agentic Engineering w/ Stephanie Zhan
![GitLab CI CD Tutorial for Beginners [Crash Course]](https://i.ytimg.com/vi/qP8kir2GUgo/hqdefault.jpg?sqp=-oaymwEjCNACELwBSFryq4qpAxUIARUAAAAAGAElAADIQj0AgKJDeAE=&rs=AOn4CLDOBTyCxw5B2dezTkS0z04lDEvGuA)
GitLab CI CD Tutorial for Beginners [Crash Course]
3 Git Workflows Every Developer Should Know (And When to Use Each)
AWS IAM Core Concepts You NEED to Know
CI/CD Explained: The DevOps Skill That Makes You 10x More Valuable
Model Context Protocol (MCP), clearly explained (why it matters)
HOMILÍA DE HOY | DIOS AYÚDAME A CONFIAR AUNQUE NO ENTIENDA NADA | PADRE FREDDY BUSTAMANTE
AI Bubble: How AI's push towards IPOs became a death drive | Ed Zitron
