[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-f14ceb46-6b81-40d2-8c63-688898c2a6b5":3,"$fpQ-7asK5X5Tc2PL3dP1ycTqpbT4Mx83dTOKHMz3nsmo":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"f14ceb46-6b81-40d2-8c63-688898c2a6b5","secrets-management","使用Vault、AWS Secrets Manager和其他工具确保CI\u002FCD管道的机密管理实践安全。","cat_coding_devops","mod_coding","sickn33,coding","---\nname: secrets-management\ndescription: \"Secure secrets management practices for CI\u002FCD pipelines using Vault, AWS Secrets Manager, and other tools.\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# Secrets Management\n\nSecure secrets management practices for CI\u002FCD pipelines using Vault, AWS Secrets Manager, and other tools.\n\n## Purpose\n\nImplement secure secrets management in CI\u002FCD pipelines without hardcoding sensitive information.\n\n## Use this skill when\n\n- Store API keys and credentials\n- Manage database passwords\n- Handle TLS certificates\n- Rotate secrets automatically\n- Implement least-privilege access\n\n## Do not use this skill when\n\n- You plan to hardcode secrets in source control\n- You cannot secure access to the secrets backend\n- You only need local development values without sharing\n\n## Instructions\n\n1. Identify secret types, owners, and rotation requirements.\n2. Choose a secrets backend and access model.\n3. Integrate CI\u002FCD or runtime retrieval with least privilege.\n4. Validate rotation and audit logging.\n\n## Safety\n\n- Never commit secrets to source control.\n- Limit access and log secret usage for auditing.\n\n## Secrets Management Tools\n\n### HashiCorp Vault\n- Centralized secrets management\n- Dynamic secrets generation\n- Secret rotation\n- Audit logging\n- Fine-grained access control\n\n### AWS Secrets Manager\n- AWS-native solution\n- Automatic rotation\n- Integration with RDS\n- CloudFormation support\n\n### Azure Key Vault\n- Azure-native solution\n- HSM-backed keys\n- Certificate management\n- RBAC integration\n\n### Google Secret Manager\n- GCP-native solution\n- Versioning\n- IAM integration\n\n## HashiCorp Vault Integration\n\n### Setup Vault\n\n```bash\n# Start Vault dev server\nvault server -dev\n\n# Set environment\nexport VAULT_ADDR='http:\u002F\u002F127.0.0.1:8200'\nexport VAULT_TOKEN='root'\n\n# Enable secrets engine\nvault secrets enable -path=secret kv-v2\n\n# Store secret\nvault kv put secret\u002Fdatabase\u002Fconfig username=admin password=secret\n```\n\n### GitHub Actions with Vault\n\n```yaml\nname: Deploy with Vault Secrets\n\non: [push]\n\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions\u002Fcheckout@v4\n\n    - name: Import Secrets from Vault\n      uses: hashicorp\u002Fvault-action@v2\n      with:\n        url: https:\u002F\u002Fvault.example.com:8200\n        token: ${{ secrets.VAULT_TOKEN }}\n        secrets: |\n          secret\u002Fdata\u002Fdatabase username | DB_USERNAME ;\n          secret\u002Fdata\u002Fdatabase password | DB_PASSWORD ;\n          secret\u002Fdata\u002Fapi key | API_KEY\n\n    - name: Use secrets\n      run: |\n        echo \"Connecting to database as $DB_USERNAME\"\n        # Use $DB_PASSWORD, $API_KEY\n```\n\n### GitLab CI with Vault\n\n```yaml\ndeploy:\n  image: vault:latest\n  before_script:\n    - export VAULT_ADDR=https:\u002F\u002Fvault.example.com:8200\n    - export VAULT_TOKEN=$VAULT_TOKEN\n    - apk add curl jq\n  script:\n    - |\n      DB_PASSWORD=$(vault kv get -field=password secret\u002Fdatabase\u002Fconfig)\n      API_KEY=$(vault kv get -field=key secret\u002Fapi\u002Fcredentials)\n      echo \"Deploying with secrets...\"\n      # Use $DB_PASSWORD, $API_KEY\n```\n\n**Reference:** See `references\u002Fvault-setup.md`\n\n## AWS Secrets Manager\n\n### Store Secret\n\n```bash\naws secretsmanager create-secret \\\n  --name production\u002Fdatabase\u002Fpassword \\\n  --secret-string \"super-secret-password\"\n```\n\n### Retrieve in GitHub Actions\n\n```yaml\n- name: Configure AWS credentials\n  uses: aws-actions\u002Fconfigure-aws-credentials@v4\n  with:\n    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}\n    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n    aws-region: us-west-2\n\n- name: Get secret from AWS\n  run: |\n    SECRET=$(aws secretsmanager get-secret-value \\\n      --secret-id production\u002Fdatabase\u002Fpassword \\\n      --query SecretString \\\n      --output text)\n    echo \"::add-mask::$SECRET\"\n    echo \"DB_PASSWORD=$SECRET\" >> $GITHUB_ENV\n\n- name: Use secret\n  run: |\n    # Use $DB_PASSWORD\n    .\u002Fdeploy.sh\n```\n\n### Terraform with AWS Secrets Manager\n\n```hcl\ndata \"aws_secretsmanager_secret_version\" \"db_password\" {\n  secret_id = \"production\u002Fdatabase\u002Fpassword\"\n}\n\nresource \"aws_db_instance\" \"main\" {\n  allocated_storage    = 100\n  engine              = \"postgres\"\n  instance_class      = \"db.t3.large\"\n  username            = \"admin\"\n  password            = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)[\"password\"]\n}\n```\n\n## GitHub Secrets\n\n### Organization\u002FRepository Secrets\n\n```yaml\n- name: Use GitHub secret\n  run: |\n    echo \"API Key: ${{ secrets.API_KEY }}\"\n    echo \"Database URL: ${{ secrets.DATABASE_URL }}\"\n```\n\n### Environment Secrets\n\n```yaml\ndeploy:\n  runs-on: ubuntu-latest\n  environment: production\n  steps:\n  - name: Deploy\n    run: |\n      echo \"Deploying with ${{ secrets.PROD_API_KEY }}\"\n```\n\n**Reference:** See `references\u002Fgithub-secrets.md`\n\n## GitLab CI\u002FCD Variables\n\n### Project Variables\n\n```yaml\ndeploy:\n  script:\n    - echo \"Deploying with $API_KEY\"\n    - echo \"Database: $DATABASE_URL\"\n```\n\n### Protected and Masked Variables\n- Protected: Only available in protected branches\n- Masked: Hidden in job logs\n- File type: Stored as file\n\n## Best Practices\n\n1. **Never commit secrets** to Git\n2. **Use different secrets** per environment\n3. **Rotate secrets regularly**\n4. **Implement least-privilege access**\n5. **Enable audit logging**\n6. **Use secret scanning** (GitGuardian, TruffleHog)\n7. **Mask secrets in logs**\n8. **Encrypt secrets at rest**\n9. **Use short-lived tokens** when possible\n10. **Document secret requirements**\n\n## Secret Rotation\n\n### Automated Rotation with AWS\n\n```python\nimport boto3\nimport json\n\ndef lambda_handler(event, context):\n    client = boto3.client('secretsmanager')\n\n    # Get current secret\n    response = client.get_secret_value(SecretId='my-secret')\n    current_secret = json.loads(response['SecretString'])\n\n    # Generate new password\n    new_password = generate_strong_password()\n\n    # Update database password\n    update_database_password(new_password)\n\n    # Update secret\n    client.put_secret_value(\n        SecretId='my-secret',\n        SecretString=json.dumps({\n            'username': current_secret['username'],\n            'password': new_password\n        })\n    )\n\n    return {'statusCode': 200}\n```\n\n### Manual Rotation Process\n\n1. Generate new secret\n2. Update secret in secret store\n3. Update applications to use new secret\n4. Verify functionality\n5. Revoke old secret\n\n## External Secrets Operator\n\n### Kubernetes Integration\n\n```yaml\napiVersion: external-secrets.io\u002Fv1beta1\nkind: SecretStore\nmetadata:\n  name: vault-backend\n  namespace: production\nspec:\n  provider:\n    vault:\n      server: \"https:\u002F\u002Fvault.example.com:8200\"\n      path: \"secret\"\n      version: \"v2\"\n      auth:\n        kubernetes:\n          mountPath: \"kubernetes\"\n          role: \"production\"\n\n---\napiVersion: external-secrets.io\u002Fv1beta1\nkind: ExternalSecret\nmetadata:\n  name: database-credentials\n  namespace: production\nspec:\n  refreshInterval: 1h\n  secretStoreRef:\n    name: vault-backend\n    kind: SecretStore\n  target:\n    name: database-credentials\n    creationPolicy: Owner\n  data:\n  - secretKey: username\n    remoteRef:\n      key: database\u002Fconfig\n      property: username\n  - secretKey: password\n    remoteRef:\n      key: database\u002Fconfig\n      property: password\n```\n\n## Secret Scanning\n\n### Pre-commit Hook\n\n```bash\n#!\u002Fbin\u002Fbash\n# .git\u002Fhooks\u002Fpre-commit\n\n# Check for secrets with TruffleHog\ndocker run --rm -v \"$(pwd):\u002Frepo\" \\\n  trufflesecurity\u002Ftrufflehog:latest \\\n  filesystem --directory=\u002Frepo\n\nif [ $? -ne 0 ]; then\n  echo \"❌ Secret detected! Commit blocked.\"\n  exit 1\nfi\n```\n\n### CI\u002FCD Secret Scanning\n\n```yaml\nsecret-scan:\n  stage: security\n  image: trufflesecurity\u002Ftrufflehog:latest\n  script:\n    - trufflehog filesystem .\n  allow_failure: false\n```\n\n## Reference Files\n\n- `references\u002Fvault-setup.md` - HashiCorp Vault configuration\n- `references\u002Fgithub-secrets.md` - GitHub Secrets best practices\n\n## Related Skills\n\n- `github-actions-templates` - For GitHub Actions integration\n- `gitlab-ci-patterns` - For GitLab CI integration\n- `deployment-pipeline-design` - For pipeline architecture\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,101,2039,"2026-05-16 13:38:09",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"DevOps","devops","mdi-cog-outline","CI\u002FCD、容器化、部署运维",3,162,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"15a0a698-b54a-430d-bd4c-2a23d39c213a","1.0.0","secrets-management.zip",3376,"uploads\u002Fskills\u002Ff14ceb46-6b81-40d2-8c63-688898c2a6b5\u002Fsecrets-management.zip","99041b8f0c741648304997e390326e14c1566fea24693f49c63e0ccd247b11bc","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":8374}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]