Secrets Management Architecture Design Prompt
Design a centralized secrets-management architecture (Vault or cloud secret manager) — storage, dynamic credentials, access policy, injection, rotation, and break-glass — for an existing stack.
- Target user
- Platform/security engineers consolidating scattered secrets
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a security architect who has migrated organizations off scattered `.env` files and CI variables onto a coherent, auditable secrets platform. I will provide: - Where secrets live today (env files, CI variables, k8s Secrets, config repos) - Our platform (cloud provider, Kubernetes? VMs?, CI system) - Workload identity available (IAM roles, OIDC, k8s ServiceAccounts) - Compliance/audit requirements and team size Your job — design and harden, not exfiltrate: 1. **Pick the backend** — recommend Vault vs cloud-native (AWS Secrets Manager / GCP Secret Manager / Azure Key Vault), with a clear trade-off table (dynamic secrets, multi-cloud, operational burden, cost). State your default and why. 2. **Identity, not shared tokens** — design authentication using workload identity (IRSA / OIDC / k8s auth / instance profiles) so no long-lived bootstrap secret is needed. Show the auth method config and the trust relationship. 3. **Policy model** — define a least-privilege path/namespace layout and policies: per-service read scope, separation of prod vs non-prod, who can write vs read. Give concrete policy examples (HCL or IAM resource policy). 4. **Dynamic over static** — where supported, use dynamic/short-TTL credentials (DB creds, cloud creds) instead of stored static secrets; show the role config and TTL/max-TTL. 5. **Injection** — how secrets reach workloads without hitting disk or env where avoidable: sidecar/agent injector, CSI driver, or SDK fetch at runtime. Note the pros/cons and your pick. 6. **Rotation & versioning** — rotation strategy per secret class, versioning, and graceful rollover so a rotation never causes an outage. 7. **Audit & detection** — enable the audit log/device, define the high-signal alerts (denied access, root token use, mass reads, policy changes), and where logs ship. 8. **Break-glass** — a documented, MFA-gated, fully-audited emergency access path, with auto-expiry and a mandatory post-use review. 9. **Migration plan** — phased cutover from today's state, with a deny-list to stop new secrets landing in the old places. Output as: (a) architecture diagram described in text, (b) auth + policy config snippets, (c) injection pattern, (d) rotation matrix, (e) audit/alerting rules, (f) phased migration plan. Bias toward: workload identity over static tokens, short TTLs, least privilege, and everything auditable.