How do I install Secrets Management?

Install Secrets Management with a single command: npx mdskills install sickn33/secrets-management. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Secrets Management?

Secrets Management works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Secrets Management

Name: Secrets Management: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

DevOps & CI/CDIntermediate

Implement secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, or native platform solutions. Use when handling sensitive credentials, rotating secrets, or securing CI/CD environments.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/secrets-management

Fork & Edit

Skill Advisor8.0

Comprehensive secrets management guide with multi-platform examples and security best practices

+Covers multiple secrets backends with concrete YAML and code examples
+Includes secret rotation, scanning, and Kubernetes External Secrets Operator patterns
+Provides clear safety guidelines and platform-specific integration steps
-Instructions could be more prescriptive for agents to follow step-by-step
-Some examples use dev/root tokens that should warn against production use

SKILL.md

Edit in Browser

1---
2name: secrets-management
3description: Implement secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, or native platform solutions. Use when handling sensitive credentials, rotating secrets, or securing CI/CD environments.
4---
5 
6# Secrets Management
7 
8Secure secrets management practices for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools.
9 
10## Purpose
11 
12Implement secure secrets management in CI/CD pipelines without hardcoding sensitive information.
13 
14## Use this skill when
15 
16- Store API keys and credentials
17- Manage database passwords
18- Handle TLS certificates
19- Rotate secrets automatically
20- Implement least-privilege access
21 
22## Do not use this skill when
23 
24- You plan to hardcode secrets in source control
25- You cannot secure access to the secrets backend
26- You only need local development values without sharing
27 
28## Instructions
29 
301. Identify secret types, owners, and rotation requirements.
312. Choose a secrets backend and access model.
323. Integrate CI/CD or runtime retrieval with least privilege.
334. Validate rotation and audit logging.
34 
35## Safety
36 
37- Never commit secrets to source control.
38- Limit access and log secret usage for auditing.
39 
40## Secrets Management Tools
41 
42### HashiCorp Vault
43- Centralized secrets management
44- Dynamic secrets generation
45- Secret rotation
46- Audit logging
47- Fine-grained access control
48 
49### AWS Secrets Manager
50- AWS-native solution
51- Automatic rotation
52- Integration with RDS
53- CloudFormation support
54 
55### Azure Key Vault
56- Azure-native solution
57- HSM-backed keys
58- Certificate management
59- RBAC integration
60 
61### Google Secret Manager
62- GCP-native solution
63- Versioning
64- IAM integration
65 
66## HashiCorp Vault Integration
67 
68### Setup Vault
69 
70```bash
71# Start Vault dev server
72vault server -dev
73 
74# Set environment
75export VAULT_ADDR='http://127.0.0.1:8200'
76export VAULT_TOKEN='root'
77 
78# Enable secrets engine
79vault secrets enable -path=secret kv-v2
80 
81# Store secret
82vault kv put secret/database/config username=admin password=secret
83```
84 
85### GitHub Actions with Vault
86 
87```yaml
88name: Deploy with Vault Secrets
89 
90on: [push]
91 
92jobs:
93  deploy:
94    runs-on: ubuntu-latest
95    steps:
96    - uses: actions/checkout@v4
97 
98    - name: Import Secrets from Vault
99      uses: hashicorp/vault-action@v2
100      with:
101        url: https://vault.example.com:8200
102        token: ${{ secrets.VAULT_TOKEN }}
103        secrets: |
104          secret/data/database username | DB_USERNAME ;
105          secret/data/database password | DB_PASSWORD ;
106          secret/data/api key | API_KEY
107 
108    - name: Use secrets
109      run: |
110        echo "Connecting to database as $DB_USERNAME"
111        # Use $DB_PASSWORD, $API_KEY
112```
113 
114### GitLab CI with Vault
115 
116```yaml
117deploy:
118  image: vault:latest
119  before_script:
120    - export VAULT_ADDR=https://vault.example.com:8200
121    - export VAULT_TOKEN=$VAULT_TOKEN
122    - apk add curl jq
123  script:
124    - |
125      DB_PASSWORD=$(vault kv get -field=password secret/database/config)
126      API_KEY=$(vault kv get -field=key secret/api/credentials)
127      echo "Deploying with secrets..."
128      # Use $DB_PASSWORD, $API_KEY
129```
130 
131**Reference:** See `references/vault-setup.md`
132 
133## AWS Secrets Manager
134 
135### Store Secret
136 
137```bash
138aws secretsmanager create-secret \
139  --name production/database/password \
140  --secret-string "super-secret-password"
141```
142 
143### Retrieve in GitHub Actions
144 
145```yaml
146- name: Configure AWS credentials
147  uses: aws-actions/configure-aws-credentials@v4
148  with:
149    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
150    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
151    aws-region: us-west-2
152 
153- name: Get secret from AWS
154  run: |
155    SECRET=$(aws secretsmanager get-secret-value \
156      --secret-id production/database/password \
157      --query SecretString \
158      --output text)
159    echo "::add-mask::$SECRET"
160    echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV
161 
162- name: Use secret
163  run: |
164    # Use $DB_PASSWORD
165    ./deploy.sh
166```
167 
168### Terraform with AWS Secrets Manager
169 
170```hcl
171data "aws_secretsmanager_secret_version" "db_password" {
172  secret_id = "production/database/password"
173}
174 
175resource "aws_db_instance" "main" {
176  allocated_storage    = 100
177  engine              = "postgres"
178  instance_class      = "db.t3.large"
179  username            = "admin"
180  password            = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
181}
182```
183 
184## GitHub Secrets
185 
186### Organization/Repository Secrets
187 
188```yaml
189- name: Use GitHub secret
190  run: |
191    echo "API Key: ${{ secrets.API_KEY }}"
192    echo "Database URL: ${{ secrets.DATABASE_URL }}"
193```
194 
195### Environment Secrets
196 
197```yaml
198deploy:
199  runs-on: ubuntu-latest
200  environment: production
201  steps:
202  - name: Deploy
203    run: |
204      echo "Deploying with ${{ secrets.PROD_API_KEY }}"
205```
206 
207**Reference:** See `references/github-secrets.md`
208 
209## GitLab CI/CD Variables
210 
211### Project Variables
212 
213```yaml
214deploy:
215  script:
216    - echo "Deploying with $API_KEY"
217    - echo "Database: $DATABASE_URL"
218```
219 
220### Protected and Masked Variables
221- Protected: Only available in protected branches
222- Masked: Hidden in job logs
223- File type: Stored as file
224 
225## Best Practices
226 
2271. **Never commit secrets** to Git
2282. **Use different secrets** per environment
2293. **Rotate secrets regularly**
2304. **Implement least-privilege access**
2315. **Enable audit logging**
2326. **Use secret scanning** (GitGuardian, TruffleHog)
2337. **Mask secrets in logs**
2348. **Encrypt secrets at rest**
2359. **Use short-lived tokens** when possible
23610. **Document secret requirements**
237 
238## Secret Rotation
239 
240### Automated Rotation with AWS
241 
242```python
243import boto3
244import json
245 
246def lambda_handler(event, context):
247    client = boto3.client('secretsmanager')
248 
249    # Get current secret
250    response = client.get_secret_value(SecretId='my-secret')
251    current_secret = json.loads(response['SecretString'])
252 
253    # Generate new password
254    new_password = generate_strong_password()
255 
256    # Update database password
257    update_database_password(new_password)
258 
259    # Update secret
260    client.put_secret_value(
261        SecretId='my-secret',
262        SecretString=json.dumps({
263            'username': current_secret['username'],
264            'password': new_password
265        })
266    )
267 
268    return {'statusCode': 200}
269```
270 
271### Manual Rotation Process
272 
2731. Generate new secret
2742. Update secret in secret store
2753. Update applications to use new secret
2764. Verify functionality
2775. Revoke old secret
278 
279## External Secrets Operator
280 
281### Kubernetes Integration
282 
283```yaml
284apiVersion: external-secrets.io/v1beta1
285kind: SecretStore
286metadata:
287  name: vault-backend
288  namespace: production
289spec:
290  provider:
291    vault:
292      server: "https://vault.example.com:8200"
293      path: "secret"
294      version: "v2"
295      auth:
296        kubernetes:
297          mountPath: "kubernetes"
298          role: "production"
299 
300---
301apiVersion: external-secrets.io/v1beta1
302kind: ExternalSecret
303metadata:
304  name: database-credentials
305  namespace: production
306spec:
307  refreshInterval: 1h
308  secretStoreRef:
309    name: vault-backend
310    kind: SecretStore
311  target:
312    name: database-credentials
313    creationPolicy: Owner
314  data:
315  - secretKey: username
316    remoteRef:
317      key: database/config
318      property: username
319  - secretKey: password
320    remoteRef:
321      key: database/config
322      property: password
323```
324 
325## Secret Scanning
326 
327### Pre-commit Hook
328 
329```bash
330#!/bin/bash
331# .git/hooks/pre-commit
332 
333# Check for secrets with TruffleHog
334docker run --rm -v "$(pwd):/repo" \
335  trufflesecurity/trufflehog:latest \
336  filesystem --directory=/repo
337 
338if [ $? -ne 0 ]; then
339  echo "❌ Secret detected! Commit blocked."
340  exit 1
341fi
342```
343 
344### CI/CD Secret Scanning
345 
346```yaml
347secret-scan:
348  stage: security
349  image: trufflesecurity/trufflehog:latest
350  script:
351    - trufflehog filesystem .
352  allow_failure: false
353```
354 
355## Reference Files
356 
357- `references/vault-setup.md` - HashiCorp Vault configuration
358- `references/github-secrets.md` - GitHub Secrets best practices
359 
360## Related Skills
361 
362- `github-actions-templates` - For GitHub Actions integration
363- `gitlab-ci-patterns` - For GitLab CI integration
364- `deployment-pipeline-design` - For pipeline architecture
365

Full transparency — inspect the skill content before installing.