What's Your Workflow to Pass Cloud Secrets/config Metadata to Apps Safely?
Key topics
- Terraform or Pulumi outputs → Vault/KMS → CI replaces values in YAML → K8s secrets operator injects env vars → app starts → DATABASE_PASSWORD typo, chaos ensues.
- Copy-pasted creds from Slack or Teams.
- Secrets/configs left in plaintext files or repos.
- Password managers with outdated entries that no one really trusts.
As a developer, what frustrates me most is the lack of predictability. Between Terraform, Vaults, pipelines, and operators, it’s often unclear who “owns” the truth — and every layer can quietly introduce drift.
So I’m curious:
- How are you handling that handoff today? - Are you still pushing everything through Vault + env vars, or have you built something cleaner? - What has actually worked for you in production — and what’s bitten you later?
Would love to hear some real war stories or simple patterns that actually hold up over time.
The author, a 9-year DevOps veteran, shares their frustration with the current state of passing cloud secrets and config metadata to apps, seeking better workflows and war stories from others.
Snapshot generated from the HN discussion
Discussion Activity
No activity data yet
We're still syncing comments from Hacker News.
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Discussion hasn't started yet.