Hardcoded secrets in git are common; env vars in CI configs are universal. Neither is acceptable in 2026. Modern secrets management is about runtime injection, short-lived credentials, and audit trails — and the tooling has gotten genuinely good.
HashiCorp Vault — the workhorse
Centralized secret store with policy-based access. Apps authenticate (via K8s service account, AWS IAM, AppRole) and fetch secrets at startup or rotate at runtime. Audit log of every read. Right for self-hosted or hybrid.
Cloud-native: AWS Secrets Manager, GCP Secret Manager
IAM-bound access. Per-secret encryption keys. Automatic rotation for supported services (RDS, etc.). Simpler than Vault if you're all-in on one cloud.
SOPS for git-stored encrypted secrets
Encrypt YAML/JSON with KMS/PGP/age, commit the encrypted file. Decrypt at deploy time. Right for GitOps workflows where you don't have a separate secret store.
Short-lived credentials > static secrets
Vault's dynamic database credentials, AWS STS role assumption, SPIFFE workload identity. Apps never hold long-lived secrets — they fetch on demand and credentials expire in minutes. Hugely reduces blast radius.
The env-var anti-pattern
Env vars are visible to every child process, often logged accidentally, snapshotted in container metadata. Acceptable for shipping the bootstrap token; not acceptable for the database password. Move to runtime injection (Vault sidecar, CSI driver).