Buying Secrets Manager

Buyer's guide.

Overview

A secrets manager's job is to keep credentials out of source control, out of CI logs, and out of long-lived environment variables, while still getting them to the workload that needs them at runtime. The buying decision turns on rotation, dynamic credentials, and how the secrets are injected into containers and serverless functions.

• Rotation support. Automatic rotation for cloud credentials, database passwords, and TLS certs; one-click manual rotation for long-tail secrets.
• Dynamic credentials. Short-lived database and cloud credentials issued on demand; long-lived static secrets are an anti-pattern.
• Injection model. Sidecar, init container, environment variable, file-mount, or SDK call. The right one depends on your runtime.
• Audit and access control. Per-secret access policies, audit log of every read, alerts on unusual access patterns.

The approach

Trial against your real runtimes (containers, serverless, VMs) and your real rotation requirements. The vendor that fits all three runtimes wins.

• Runtime inventory. List every place secrets are consumed today; the vendor has to cover all of them or you end up with two tools.
• Rotation test. Rotate a real database credential and watch whether the running app picks up the new value cleanly.
• Dynamic-credentials check. If you can issue 15-minute database creds on demand, do; long-lived static creds are the legacy path.
• Document the choice and the exit ramp. Capture rationale and how secrets would migrate if you switched.

Why this compounds

The right secrets manager keeps paying back: credential leaks become recoverable instead of catastrophic, rotation stops being a quarterly fire drill, and audit becomes a query rather than a forensic exercise.

• Security posture. Short-lived credentials shrink the blast radius of any leak.
• Operational consolidation. One secrets surface across runtimes removes the per-team spreadsheet of "where does this password live."
• Compliance evidence. Audit logs of secret access become the artefact for SOC2 and ISO 27001.
• Decision trail for the next renewal. The trial data becomes the renewal scorecard, not a cold start.