Engineering Advanced SecretsSecurityEnvironment

Env Secrets Manager

.env management, leak detection, and rotation workflows.

$skillfish add ~skills/env-secrets-manager

Real Examples Get Started Models & Context Good to Know

Real Conversations

See how the Env Secrets Manager skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

A security scan flagged that we might have secrets in our git history. We have 5 .env files across environments and a 3-year git history. How do I check what's been committed?

Agent

This skill includes executable scripts — I'll need your permission before running them.

The leak scanner checks both current files and full git history:

python scripts/env_scanner.py --repo . --scan-history --format text

What it scans:

Current .env* files for patterns: API keys, tokens, passwords, connection strings
git log --all --full-history -- '*.env*' for historical commits
All branches for patterns matching known secret formats (AWS, Stripe, GitHub, etc.)

Sample findings:

Leak Scan Report
════════════════
Files scanned: 5  |  Commits scanned: 1,847

CRITICAL — Active secret in git history
  Commit: a3b7c2d (2023-08-14) — "Add staging config"
  File: .env.staging
  Match: STRIPE_SECRET_KEY=sk_live_4xT...
  Status: Key may still be valid — ROTATE IMMEDIATELY

HIGH — .env.local tracked by git
  .gitignore missing .env.local
  Contains: OPENAI_API_KEY, DATABASE_URL
  Action: Remove from tracking + add to .gitignore

INFO — .env.example is clean (expected)

Immediate response for the Stripe key:

Rotate in Stripe dashboard → Developers → API Keys (30 seconds)
Update the new key in your secrets manager
Scrub from git history: git filter-repo --path .env.staging --invert-paths
Force-push all branches (coordinate with the team first)

Prevent recurrence:

# .gitignore
.env
.env.*
!.env.example

You

We have 4 developers and 3 environments. Half our bugs are 'works on my machine' env var mismatches. How do I create a system where .env.example is the source of truth and we detect drift?

Agent

The system: .env.example is the contract. Any env var referenced in code must be in .env.example. Drift = CI failure.

Step 1: Generate .env.example from codebase

# Scanner extracts all process.env.FOO references from code
python scripts/env_scanner.py --repo . --extract-vars --output .env.example

# .env.example — committed to git, no real values
DATABASE_URL=postgresql://localhost:5432/myapp_dev
JWT_SECRET=change-me-in-each-environment
STRIPE_PUBLIC_KEY=pk_test_...
STRIPE_SECRET_KEY=sk_test_...  # NEVER commit real sk_live_ values
LOG_LEVEL=info
# OPTIONAL_FEATURE_FLAG=false

Step 2: CI drift check

# .github/workflows/ci.yml
- name: Env drift check
  run: |
    python scripts/env_scanner.py \
      --check-drift \
      --required .env.example \
      --actual .env.ci
  # Fails CI if .env.ci is missing any var from .env.example

Step 3: New developer onboarding (30 seconds)

# setup.sh
cp .env.example .env.local
echo "Fill in your personal values — get secrets from 1Password vault: Engineering/Dev Secrets"

Result: every developer has .env.local pre-populated with all keys, knows exactly which values to get from the password manager, and CI catches any new var that's added to code but not documented in .env.example.

You

We're scaling up and need to move away from .env files to a proper secrets manager. We have 34 environment variables across 3 services. We want to use AWS Secrets Manager. What's the migration plan?

Agent

This skill includes executable scripts — I'll need your permission before running them.

Phase 1: Upload existing vars to Secrets Manager (day 1)

python scripts/env_scanner.py \
  --migrate-to-aws \
  --input .env.production \
  --secret-name myapp/production \
  --region us-east-1

This creates one JSON secret per service:

// Secret: myapp/production
{
  "DATABASE_URL": "postgresql://...",
  "JWT_SECRET": "...",
  "STRIPE_SECRET_KEY": "sk_live_..."
}

Phase 2: Update app to read from Secrets Manager (day 2-3)

# config.py — replaces python-dotenv loading
import boto3, json, functools

@functools.lru_cache(maxsize=1)  # cache for process lifetime
def get_secrets() -> dict:
    client = boto3.client('secretsmanager', region_name='us-east-1')
    response = client.get_secret_value(SecretId='myapp/production')
    return json.loads(response['SecretString'])

_s = get_secrets()
DATABASE_URL = _s['DATABASE_URL']
STRIPE_SECRET_KEY = _s['STRIPE_SECRET_KEY']

Phase 3: IAM least-privilege policy

{
  "Effect": "Allow",
  "Action": ["secretsmanager:GetSecretValue"],
  "Resource": "arn:aws:secretsmanager:us-east-1:*:secret:myapp/*"
}

Phase 4: Enable rotation (day 4)

aws secretsmanager rotate-secret \
  --secret-id myapp/production \
  --rotation-rules AutomaticallyAfterDays=90

Cost: ~$0.40/secret/month = ~$1.20/month for 3 services. Far cheaper than a credential rotation incident.

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase. Web-based AI can use the knowledge and frameworks, but won't have tool access.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Best

Claude Opus 4 Claude Sonnet 4 GPT-4.1 Gemini 2.5 Pro Grok 3 Kimi K2

Good

Claude Haiku 4.5 GPT-4.1 mini Gemini 2.5 Flash Grok 3 mini

Larger models produce more detailed, production-ready outputs.

Context Window

This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.

8K Skill only

32K+ Skill + conversation

100K+ Skill + references + codebase

All current frontier models (Claude, GPT, Gemini) support 100K+ context. Use the full window for complex multi-service work.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Good to Know

Advanced guide and reference material for Env Secrets Manager. Background, edge cases, and patterns worth understanding.

Contents

Secret Classification and Rotation Cadence

Not all secrets have the same risk profile. Treat them differently:

Type	Examples	Rotation cadence	Risk on exposure
Static credentials	DB passwords, SSH keys	90 days minimum; 30 days for critical	Full access until rotated
Short-lived tokens	AWS STS, OIDC JWT, Vault leases	Minutes to hours (auto-expires)	Minimal — expires on its own
API keys	Stripe, Twilio, SendGrid	180 days or on personnel change	Service-level blast radius
TLS certificates	mTLS certs, internal CA	Before expiry; automate with cert-manager	Service disruption on expiry

Short-lived tokens via workload identity are the goal. Everything else is a compromise you're accepting because migration hasn't happened yet.

Zero-Trust Secret Access Patterns

Long-lived API keys are the path of least resistance and the highest risk. A key in an environment variable is one printenv away from leaking. Any process that can read the environment can steal it.

Workload identity replaces this with cryptographic proof of identity:

AWS IRSA (IAM Roles for Service Accounts): Pod's service account is annotated with an IAM role ARN. AWS SDK exchanges a projected service account token for temporary STS credentials. No secrets stored anywhere.
GCP Workload Identity: Same model — Kubernetes service account mapped to a GCP service account. Credentials are fetched automatically by the metadata server.
Azure Managed Identity: VM or pod is assigned an identity; applications call the IMDS endpoint at 169.254.169.254 to get tokens. Zero config in application code.

# IRSA example — verify your pod is using workload identity correctly:
aws sts get-caller-identity
# Should return the role ARN from your annotation, not a long-lived key

If get-caller-identity returns a user ARN instead of a role ARN, a long-lived key is in the environment and bypassing IRSA.

Rotation Strategies Without Downtime

The dual-active (blue/green credential) pattern:

Create new credential (db_password_v2) alongside existing (db_password_v1)
Grant both credentials access to the database simultaneously
Deploy application update to read v2 — both work during rollout
Confirm all instances are using v2 (check access logs)
Revoke v1

This gives you a safe rollback window. The failure mode of immediate rotation (create new, delete old, deploy) is that any pods that haven't restarted yet start failing at step 3.

Minimum dual-active window: Greater than your longest pod startup time plus your deployment rollout window. For most teams, 15–30 minutes.

Common Audit Findings

Finding	How it happens	Remediation
Secrets in git history	`.env` committed before `.gitignore` was set up	`git filter-repo --path .env --invert-paths`; rotate all exposed secrets immediately
`.env` baked into Docker image	`COPY . .` before `RUN` in Dockerfile, `.env` not in `.dockerignore`	Add `.env*` to `.dockerignore`; rotate; rebuild without layer cache
Secrets in CI logs	`echo $SECRET` in debug step, or a tool that prints env on error	Mask variables in CI (GitHub: `echo "::add-mask::$VALUE"`); audit log retention
No rotation policy	"We'll do it when something breaks"	Automate rotation via Secrets Manager events or Vault's dynamic secrets
Shared credentials	One DB user for all services, or one API key across teams	Per-service credentials; audit trail becomes meaningful only with isolation

Tool Comparison

	AWS Secrets Manager	HashiCorp Vault	Doppler	1Password Secrets Automation
Dynamic secrets	No (rotation via Lambda)	Yes — native for Postgres, MySQL, AWS, etc.	No	No
Self-hosted	No	Yes (OSS) / No (HCP)	No	No
Cost model	$0.40/secret/month + API calls	Free OSS; HCP ~$0.03/hour/cluster	Per-seat SaaS	Per-seat SaaS
Best for	AWS-native teams already using IAM	Complex multi-cloud, dynamic secrets, fine-grained policy	Dev teams wanting a simple Heroku-style DX	Teams already on 1Password for password management
Secret injection	SDK or sidecar (ASCP)	Agent, sidecar, or `vault env`	CLI or native integrations	CLI or SDKs

Vault's dynamic secrets are the gold standard for database credentials — each application gets its own short-lived credential issued on demand, audited to the service identity.

Ready to try Env Secrets Manager?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.

$skillfish add ~skills/env-secrets-manager

← Browse all 169 skills

Env Secrets Manager

Real Conversations

Get Started

Claude Code, OpenCode, or any CLI agent

Cursor, Windsurf, or IDE-based agents

Claude.ai, ChatGPT, Gemini, or any web AI

Models & Context

Recommended Models

Context Window

Pro tips for best results

Good to Know

Secret Classification and Rotation Cadence

Zero-Trust Secret Access Patterns

Rotation Strategies Without Downtime

Common Audit Findings

Tool Comparison

Ready to try Env Secrets Manager?