{"id":"b09e328f-e4da-4f4a-80e2-7aa09f154ee8","shortId":"c4GUa5","kind":"skill","title":"secrets-management","tagline":"Secure secrets management practices for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools.","description":"# Secrets Management\n\nSecure secrets management practices for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools.\n\n## Purpose\n\nImplement secure secrets management in CI/CD pipelines without hardcoding sensitive information.\n\n## Use this skill when\n\n- Store API keys and credentials\n- Manage database passwords\n- Handle TLS certificates\n- Rotate secrets automatically\n- Implement least-privilege access\n\n## Do not use this skill when\n\n- You plan to hardcode secrets in source control\n- You cannot secure access to the secrets backend\n- You only need local development values without sharing\n\n## Instructions\n\n1. Identify secret types, owners, and rotation requirements.\n2. Choose a secrets backend and access model.\n3. Integrate CI/CD or runtime retrieval with least privilege.\n4. Validate rotation and audit logging.\n\n## Safety\n\n- Never commit secrets to source control.\n- Limit access and log secret usage for auditing.\n\n## Secrets Management Tools\n\n### HashiCorp Vault\n- Centralized secrets management\n- Dynamic secrets generation\n- Secret rotation\n- Audit logging\n- Fine-grained access control\n\n### AWS Secrets Manager\n- AWS-native solution\n- Automatic rotation\n- Integration with RDS\n- CloudFormation support\n\n### Azure Key Vault\n- Azure-native solution\n- HSM-backed keys\n- Certificate management\n- RBAC integration\n\n### Google Secret Manager\n- GCP-native solution\n- Versioning\n- IAM integration\n\n## HashiCorp Vault Integration\n\n### Setup Vault\n\n```bash\n# Start Vault dev server\nvault server -dev\n\n# Set environment\nexport VAULT_ADDR='http://127.0.0.1:8200'\nexport VAULT_TOKEN='root'\n\n# Enable secrets engine\nvault secrets enable -path=secret kv-v2\n\n# Store secret\nvault kv put secret/database/config username=admin password=secret\n```\n\n### GitHub Actions with Vault\n\n```yaml\nname: Deploy with Vault Secrets\n\non: [push]\n\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n\n    - name: Import Secrets from Vault\n      uses: hashicorp/vault-action@v2\n      with:\n        url: https://vault.example.com:8200\n        token: ${{ secrets.VAULT_TOKEN }}\n        secrets: |\n          secret/data/database username | DB_USERNAME ;\n          secret/data/database password | DB_PASSWORD ;\n          secret/data/api key | API_KEY\n\n    - name: Use secrets\n      run: |\n        echo \"Connecting to database as $DB_USERNAME\"\n        # Use $DB_PASSWORD, $API_KEY\n```\n\n### GitLab CI with Vault\n\n```yaml\ndeploy:\n  image: vault:latest\n  before_script:\n    - export VAULT_ADDR=https://vault.example.com:8200\n    - export VAULT_TOKEN=$VAULT_TOKEN\n    - apk add curl jq\n  script:\n    - |\n      DB_PASSWORD=$(vault kv get -field=password secret/database/config)\n      API_KEY=$(vault kv get -field=key secret/api/credentials)\n      echo \"Deploying with secrets...\"\n      # Use $DB_PASSWORD, $API_KEY\n```\n\n**Reference:** See `references/vault-setup.md`\n\n## AWS Secrets Manager\n\n### Store Secret\n\n```bash\naws secretsmanager create-secret \\\n  --name production/database/password \\\n  --secret-string \"super-secret-password\"\n```\n\n### Retrieve in GitHub Actions\n\n```yaml\n- name: Configure AWS credentials\n  uses: aws-actions/configure-aws-credentials@v4\n  with:\n    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}\n    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n    aws-region: us-west-2\n\n- name: Get secret from AWS\n  run: |\n    SECRET=$(aws secretsmanager get-secret-value \\\n      --secret-id production/database/password \\\n      --query SecretString \\\n      --output text)\n    echo \"::add-mask::$SECRET\"\n    echo \"DB_PASSWORD=$SECRET\" >> $GITHUB_ENV\n\n- name: Use secret\n  run: |\n    # Use $DB_PASSWORD\n    ./deploy.sh\n```\n\n### Terraform with AWS Secrets Manager\n\n```hcl\ndata \"aws_secretsmanager_secret_version\" \"db_password\" {\n  secret_id = \"production/database/password\"\n}\n\nresource \"aws_db_instance\" \"main\" {\n  allocated_storage    = 100\n  engine              = \"postgres\"\n  instance_class      = \"db.t3.large\"\n  username            = \"admin\"\n  password            = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)[\"password\"]\n}\n```\n\n## GitHub Secrets\n\n### Organization/Repository Secrets\n\n```yaml\n- name: Use GitHub secret\n  run: |\n    echo \"API Key: ${{ secrets.API_KEY }}\"\n    echo \"Database URL: ${{ secrets.DATABASE_URL }}\"\n```\n\n### Environment Secrets\n\n```yaml\ndeploy:\n  runs-on: ubuntu-latest\n  environment: production\n  steps:\n  - name: Deploy\n    run: |\n      echo \"Deploying with ${{ secrets.PROD_API_KEY }}\"\n```\n\n**Reference:** See `references/github-secrets.md`\n\n## GitLab CI/CD Variables\n\n### Project Variables\n\n```yaml\ndeploy:\n  script:\n    - echo \"Deploying with $API_KEY\"\n    - echo \"Database: $DATABASE_URL\"\n```\n\n### Protected and Masked Variables\n- Protected: Only available in protected branches\n- Masked: Hidden in job logs\n- File type: Stored as file\n\n## Best Practices\n\n1. **Never commit secrets** to Git\n2. **Use different secrets** per environment\n3. **Rotate secrets regularly**\n4. **Implement least-privilege access**\n5. **Enable audit logging**\n6. **Use secret scanning** (GitGuardian, TruffleHog)\n7. **Mask secrets in logs**\n8. **Encrypt secrets at rest**\n9. **Use short-lived tokens** when possible\n10. **Document secret requirements**\n\n## Secret Rotation\n\n### Automated Rotation with AWS\n\n```python\nimport boto3\nimport json\n\ndef lambda_handler(event, context):\n    client = boto3.client('secretsmanager')\n\n    # Get current secret\n    response = client.get_secret_value(SecretId='my-secret')\n    current_secret = json.loads(response['SecretString'])\n\n    # Generate new password\n    new_password = generate_strong_password()\n\n    # Update database password\n    update_database_password(new_password)\n\n    # Update secret\n    client.put_secret_value(\n        SecretId='my-secret',\n        SecretString=json.dumps({\n            'username': current_secret['username'],\n            'password': new_password\n        })\n    )\n\n    return {'statusCode': 200}\n```\n\n### Manual Rotation Process\n\n1. Generate new secret\n2. Update secret in secret store\n3. Update applications to use new secret\n4. Verify functionality\n5. Revoke old secret\n\n## External Secrets Operator\n\n### Kubernetes Integration\n\n```yaml\napiVersion: external-secrets.io/v1beta1\nkind: SecretStore\nmetadata:\n  name: vault-backend\n  namespace: production\nspec:\n  provider:\n    vault:\n      server: \"https://vault.example.com:8200\"\n      path: \"secret\"\n      version: \"v2\"\n      auth:\n        kubernetes:\n          mountPath: \"kubernetes\"\n          role: \"production\"\n\n---\napiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n  name: database-credentials\n  namespace: production\nspec:\n  refreshInterval: 1h\n  secretStoreRef:\n    name: vault-backend\n    kind: SecretStore\n  target:\n    name: database-credentials\n    creationPolicy: Owner\n  data:\n  - secretKey: username\n    remoteRef:\n      key: database/config\n      property: username\n  - secretKey: password\n    remoteRef:\n      key: database/config\n      property: password\n```\n\n## Secret Scanning\n\n### Pre-commit Hook\n\n```bash\n#!/bin/bash\n# .git/hooks/pre-commit\n\n# Check for secrets with TruffleHog\ndocker run --rm -v \"$(pwd):/repo\" \\\n  trufflesecurity/trufflehog:latest \\\n  filesystem --directory=/repo\n\nif [ $? -ne 0 ]; then\n  echo \"❌ Secret detected! Commit blocked.\"\n  exit 1\nfi\n```\n\n### CI/CD Secret Scanning\n\n```yaml\nsecret-scan:\n  stage: security\n  image: trufflesecurity/trufflehog:latest\n  script:\n    - trufflehog filesystem .\n  allow_failure: false\n```\n\n## Reference Files\n\n- `references/vault-setup.md` - HashiCorp Vault configuration\n- `references/github-secrets.md` - GitHub Secrets best practices\n\n## Related Skills\n\n- `github-actions-templates` - For GitHub Actions integration\n- `gitlab-ci-patterns` - For GitLab CI integration\n- `deployment-pipeline-design` - For pipeline architecture\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["secrets","management","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-secrets-management","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/secrets-management","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34583 github stars · SKILL.md body (8,158 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T18:52:11.898Z","embedding":null,"createdAt":"2026-04-18T21:44:02.277Z","updatedAt":"2026-04-22T18:52:11.898Z","lastSeenAt":"2026-04-22T18:52:11.898Z","tsv":"'/bin/bash':832 '/configure-aws-credentials':405 '/deploy.sh':472 '/repo':844,849 '/v1beta1':755,783 '0':852 '1':102,593,722,860 '10':643 '100':496 '127.0.0.1':225 '1h':795 '2':110,432,599,726 '200':718 '3':118,605,732 '4':127,609,739 '5':615,742 '6':619 '7':625 '8':630 '8200':226 '9':635 'access':70,88,116,141,166,410,414,420,424,614 'action':253,395,404,895,899 'actions/checkout':274 'add':340,456 'add-mask':455 'addr':224,332 'admin':249,503 'alloc':494 'allow':877 'api':53,301,317,352,367,520,549,565 'apivers':752,780 'apk':339 'applic':734 'architectur':915 'ask':949 'audit':131,147,161,617 'auth':774 'autom':649 'automat':65,175 'avail':577 'aw':13,30,168,172,372,378,399,403,409,418,427,437,440,475,480,490,652 'aws-access-key-id':408 'aws-act':402 'aws-nat':171 'aws-region':426 'aws-secret-access-key':417 'azur':182,186 'azure-n':185 'back':191 'backend':92,114,762,800 'bash':212,377,831 'best':591,889 'block':858 'boto3':655 'boto3.client':664 'boundari':957 'branch':580 'cannot':86 'central':153 'certif':62,193 'check':834 'choos':111 'ci':320,903,907 'ci/cd':9,26,42,120,555,862 'clarif':951 'class':500 'clear':924 'client':663 'client.get':670 'client.put':700 'cloudform':180 'commit':135,595,829,857 'configur':398,885 'connect':308 'context':662 'control':84,139,167 'creat':381 'create-secret':380 'creationpolici':808 'credenti':56,400,790,807 'criteria':960 'curl':341 'current':667,677,710 'data':479,810 'data.aws_secretsmanager_secret_version.db_password.secret':506 'databas':58,310,525,568,569,691,694,789,806 'database-credenti':788,805 'database/config':815,822 'db':293,297,312,315,344,365,460,470,484,491 'db.t3.large':501 'def':658 'deploy':258,265,324,361,532,543,546,560,563,910 'deployment-pipeline-design':909 'describ':928 'design':912 'detect':856 'dev':215,219 'develop':97 'differ':601 'directori':848 'docker':839 'document':644 'dynam':156 'echo':307,360,454,459,519,524,545,562,567,854 'enabl':231,236,616 'encrypt':631 'engin':233,497 'env':464 'environ':221,529,539,604,940 'environment-specif':939 'event':661 'exit':859 'expert':945 'export':222,227,330,334 'extern':746 'external-secrets.io':754,782 'external-secrets.io/v1beta1':753,781 'externalsecret':785 'failur':878 'fals':879 'fi':861 'field':349,357 'file':586,590,881 'filesystem':847,876 'fine':164 'fine-grain':163 'function':741 'gcp':201 'gcp-nativ':200 'generat':158,682,687,723 'get':348,356,434,443,666 'get-secret-valu':442 'git':598 'git/hooks/pre-commit':833 'gitguardian':623 'github':252,394,463,509,516,887,894,898 'github-actions-templ':893 'gitlab':319,554,902,906 'gitlab-ci-pattern':901 'googl':197 'grain':165 'handl':60 'handler':660 'hardcod':45,80 'hashicorp':151,207,883 'hashicorp/vault-action':282 'hcl':478 'hidden':582 'hook':830 'hsm':190 'hsm-back':189 'iam':205 'id':412,416,448,487 'identifi':103 'imag':325,871 'implement':37,66,610 'import':277,654,656 'inform':47 'input':954 'instanc':492,499 'instruct':101 'integr':119,177,196,206,209,750,900,908 'job':264,584 'jq':342 'json':657 'json.dumps':708 'json.loads':679 'jsondecod':505 'key':54,183,192,300,302,318,353,358,368,411,415,421,425,521,523,550,566,814,821 'kind':756,784,801 'kubernet':749,775,777 'kv':240,245,347,355 'kv-v2':239 'lambda':659 'latest':271,327,538,846,873 'least':68,125,612 'least-privileg':67,611 'limit':140,916 'live':639 'local':96 'log':132,143,162,585,618,629 'main':493 'manag':3,6,15,20,23,32,40,57,149,155,170,194,199,374,477 'manual':719 'mask':457,573,581,626 'match':925 'metadata':758,786 'miss':962 'model':117 'mountpath':776 'my-secret':674,704 'name':257,276,303,383,397,433,465,514,542,759,787,797,804 'namespac':763,791 'nativ':173,187,202 'ne':851 'need':95 'never':134,594 'new':683,685,696,714,724,737 'old':744 'oper':748 'organization/repository':511 'output':452,934 'owner':106,809 'password':59,250,296,298,316,345,350,366,391,461,471,485,504,508,684,686,689,692,695,697,713,715,819,824 'path':237,770 'pattern':904 'per':603 'permiss':955 'pipelin':10,27,43,911,914 'plan':78 'possibl':642 'postgr':498 'practic':7,24,592,890 'pre':828 'pre-commit':827 'privileg':69,126,613 'process':721 'product':540,764,779,792 'production/database/password':384,449,488 'project':557 'properti':816,823 'protect':571,575,579 'provid':766 'purpos':36 'push':263 'put':246 'pwd':843 'python':653 'queri':450 'rbac':195 'rds':179 'refer':369,551,880 'references/github-secrets.md':553,886 'references/vault-setup.md':371,882 'refreshinterv':794 'region':428 'regular':608 'relat':891 'remoteref':813,820 'requir':109,646,953 'resourc':489 'respons':669,680 'rest':634 'retriev':123,392 'return':716 'review':946 'revok':743 'rm':841 'role':778 'root':230 'rotat':63,108,129,160,176,606,648,650,720 'run':267,306,438,468,518,534,544,840 'runs-on':266,533 'runtim':122 'safeti':133,956 'scan':622,826,864,868 'scope':927 'script':329,343,561,874 'secret':2,5,14,19,22,31,39,64,81,91,104,113,136,144,148,154,157,159,169,198,232,235,238,243,251,261,278,290,305,363,373,376,382,386,390,419,423,435,439,444,447,458,462,467,476,482,486,510,512,517,530,596,602,607,621,627,632,645,647,668,671,676,678,699,701,706,711,725,728,730,738,745,747,771,825,836,855,863,867,888 'secret-id':446 'secret-scan':866 'secret-str':385 'secret/api/credentials':359 'secret/data/api':299 'secret/data/database':291,295 'secret/database/config':247,351 'secretid':673,703 'secretkey':811,818 'secrets-manag':1 'secrets.api':522 'secrets.aws':413,422 'secrets.database':527 'secrets.prod':548 'secrets.vault':288 'secretsmanag':379,441,481,665 'secretstor':757,802 'secretstoreref':796 'secretstr':451,681,707 'secur':4,21,38,87,870 'see':370,552 'sensit':46 'server':216,218,768 'set':220 'setup':210 'share':100 'short':638 'short-liv':637 'skill':50,75,892,919 'skill-secrets-management' 'solut':174,188,203 'sourc':83,138 'source-sickn33' 'spec':765,793 'specif':941 'stage':869 'start':213 'statuscod':717 'step':272,541 'stop':947 'storag':495 'store':52,242,375,588,731 'string':387,507 'strong':688 'substitut':937 'success':959 'super':389 'super-secret-password':388 'support':181 'target':803 'task':923 'templat':896 'terraform':473 'test':943 'text':453 'tls':61 'token':229,287,289,336,338,640 'tool':18,35,150 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'treat':932 'trufflehog':624,838,875 'trufflesecurity/trufflehog':845,872 'type':105,587 'ubuntu':270,537 'ubuntu-latest':269,536 'updat':690,693,698,727,733 'url':285,526,528,570 'us':430 'us-west':429 'usag':145 'use':11,28,48,73,273,281,304,314,364,401,466,469,515,600,620,636,736,917 'usernam':248,292,294,313,502,709,712,812,817 'v':842 'v2':241,283,773 'v4':275,406 'valid':128,942 'valu':98,445,672,702 'variabl':556,558,574 'vault':12,29,152,184,208,211,214,217,223,228,234,244,255,260,280,322,326,331,335,337,346,354,761,767,799,884 'vault-backend':760,798 'vault.example.com:8200':286,333,769 'verifi':740 'version':204,483,772 'west':431 'without':44,99 'yaml':256,323,396,513,531,559,751,865","prices":[{"id":"bcae30d6-bafd-4adb-93e7-0c067cad26b4","listingId":"b09e328f-e4da-4f4a-80e2-7aa09f154ee8","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:44:02.277Z"}],"sources":[{"listingId":"b09e328f-e4da-4f4a-80e2-7aa09f154ee8","source":"github","sourceId":"sickn33/antigravity-awesome-skills/secrets-management","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/secrets-management","isPrimary":false,"firstSeenAt":"2026-04-18T21:44:02.277Z","lastSeenAt":"2026-04-22T18:52:11.898Z"}],"details":{"listingId":"b09e328f-e4da-4f4a-80e2-7aa09f154ee8","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"secrets-management","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34583,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-22T06:40:00Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"cb6821c50e1f073eeff7c16c0b41f42906d54434","skill_md_path":"skills/secrets-management/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/secrets-management"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"secrets-management","description":"Secure secrets management practices for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/secrets-management"},"updatedAt":"2026-04-22T18:52:11.898Z"}}