Skip to content
Latchkey

What Is a Secrets Manager? The Vault Behind Your Credentials

A secrets manager is a purpose-built service that stores credentials encrypted, controls who can read them, and hands them out at runtime with a full audit trail.

A secrets manager is the dedicated vault behind secrets management. Instead of scattering keys across config files and environment variables, you centralize them in one service that encrypts them, enforces access policy, rotates them, and logs every read. CI pipelines fetch what they need at job time and nothing is left lying around.

What a secrets manager provides

  • Encryption at rest and in transit for every stored value.
  • Fine-grained access policies tied to identity.
  • Audit logs of every read and write.
  • Built-in or scheduled rotation of credentials.

Common implementations

HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault are the usual choices. Each exposes an API or CLI that a pipeline calls to fetch a secret just before it is needed, authenticating with a short-lived identity rather than another stored password.

How CI talks to it

A job authenticates to the manager (ideally with an OIDC token or a workload identity, not a static key), requests the specific secret it needs, uses it in memory, and exits. The secret never lands in the repo or the CI configuration.

Dynamic secrets

Advanced managers can generate credentials on the fly: a database password that exists only for the lifetime of one job, then is revoked. Dynamic secrets shrink the window in which a leaked value is useful to nearly nothing.

Why not just use CI secret variables

CI-native secret stores are fine for small projects, but a dedicated manager centralizes secrets across many pipelines and tools, gives richer rotation and audit, and avoids duplicating the same key in every repo. Many teams use both: the manager as source of truth, CI variables for the bootstrap token.

Where the runner fits

Fetching a secret is safe only if the machine doing the fetching is trustworthy and short-lived. Isolated ephemeral runners (like Latchkey managed runners) ensure that a secret pulled from the manager is gone the moment the job ends, never readable by a later job on the same host.

Key takeaways

  • A secrets manager centralizes credentials with encryption, access policy, and audit.
  • Vault, AWS Secrets Manager, and Azure Key Vault are common implementations.
  • Dynamic, per-job secrets make a leaked credential nearly worthless.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →