---
title: Use Secrets Management For Backend Secrets
impact: CRITICAL
impactDescription: centralizes and secures sensitive credential storage and access control
tags: secrets, vault, credentials, configuration, security, kotlin
---

## Use Secrets Management For Backend Secrets

Sensitive credentials should never reside in plain text within source code or configuration files. Use a dedicated secrets management system to centralize, audit, and rotate credentials securely.

**Incorrect (hardcoded or plain environment exposure):**

```kotlin
// Hardcoded in code
const val API_KEY = "sk-live-123456"

// application.yml committed to git with real secrets
database:
  password: "production_password_123"
```

**Correct (automated secrets management):**

```kotlin
// Using a cloud-native Secrets Manager (AWS / GCP / Azure)
val dbPassword = secretsClient.getSecret("prod/db/password")

// Using Kubernetes Secrets integration
// In Spring Boot, these are often mapped to properties automatically:
@Value("\${db.password}")
private lateinit var dbPasswordFromSecret: String

// Using Spring Cloud Vault
// Secrets are retrieved automatically on startup from HashiCorp Vault

// Environment validation
val stripeKey = System.getenv("STRIPE_KEY") 
    ?: throw IllegalStateException("Required secret STRIPE_KEY is missing")
```

**Secrets Management Hierarchy:**
1.  **Vaults:** (Best) HashiCorp Vault, AWS/GCP/Azure Secret Managers.
2.  **Orchestrator Secrets:** Kubernetes Secrets, Docker Secrets.
3.  **Environment Variables:** Scalable but requires careful process isolation.
4.  **Local Env Files:** Only for local development, must be `.gitignore`d.

**Crucial Steps:**
- Enable Secret Rotation.
- Use Least Privilege for secret access.
- Audit logs to monitor who/what accessed which secret.

**Tools:** HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, Spring Cloud Config
