How we migrated from .env files checked into repos to a proper secrets management workflow with HashiCorp Vault and CI/CD integration.

On this page

Secrets Management in Practice: From .env Files to Vault

Every team starts with .env files. Most know they shouldn't stay there. Here's how we actually migrated to proper secrets management without breaking everything.

Where We Started #

.env files in every repo (some committed to Git by accident)
Secrets copied between developers via Slack DMs
CI/CD secrets stored in GitHub repo settings
No rotation policy—some API keys were 3 years old
No audit log of who accessed what

Step 1: Audit and Inventory #

Before migrating anywhere, we cataloged every secret:

bash.bash

# Find .env files across all repos
find . -name ".env*" -not -path "*/node_modules/*" | while read f; do
  echo "=== $f ==="
  grep -c "=" "$f"
done

We found 247 unique secrets across 18 repos. 31 of them were duplicates with different values (a problem in itself).

Step 2: Choose the Right Tool #

We evaluated three options:

Feature	AWS Secrets Manager	HashiCorp Vault	SOPS
Auto-rotation	Yes	Yes (with plugins)	No
Audit logging	CloudTrail	Built-in	Git history
Dynamic secrets	Limited	Yes	No
Cost	$0.40/secret/month	Self-hosted or HCP	Free
Complexity	Low	Medium-High	Low

We chose Vault because we needed dynamic database credentials and cross-cloud support.

Step 3: Migration Pattern #

We migrated service by service, not all at once:

python.python

# Before: reading from .env
import os
db_password = os.environ["DB_PASSWORD"]

# After: reading from Vault with fallback
import hvac
import os

def get_secret(path: str, key: str) -> str:
    """Read from Vault, fall back to env var during migration."""
    try:
        client = hvac.Client(url=os.environ["VAULT_ADDR"])
        secret = client.secrets.kv.v2.read_secret_version(path=path)
        return secret["data"]["data"][key]
    except Exception:
        # Fallback during migration period
        env_key = path.replace("/", "_").upper() + "_" + key.upper()
        return os.environ[env_key]

Step 4: CI/CD Integration #

For GitHub Actions, we use the official Vault action:

yaml.yaml

- name: Import Secrets
  uses: hashicorp/vault-action@v2
  with:
    url: https://vault.internal.company.com
    method: jwt
    role: deploy-api
    secrets: |
      secret/data/api/production DB_PASSWORD | DB_PASSWORD ;
      secret/data/api/production API_KEY | API_KEY ;

Key decision: We use JWT auth with GitHub's OIDC token, so no long-lived credentials in CI.

Step 5: Rotation Policy #

Database credentials: Dynamic secrets via Vault, rotated every 24 hours
API keys: Rotated every 90 days, automated reminder via Slack bot
TLS certificates: Auto-renewed via cert-manager + Let's Encrypt

Best Practices #

Never commit secrets to Git — use git-secrets or trufflehog in CI to catch leaks
Use dynamic secrets where possible — they expire automatically
Migrate incrementally — one service at a time with a fallback
Audit access — know who accessed which secret and when
Rotate on schedule — if you can't rotate a secret, you have a design problem
Encrypt at rest and in transit — Vault does this by default

The migration took us 6 weeks for 18 services. The hardest part wasn't the tooling—it was getting every developer to stop putting secrets in Slack.

Secrets Management in Practice: From .env Files to Vault

Secrets Management in Practice: From .env Files to Vault

Where We Started #

Step 1: Audit and Inventory #

Step 2: Choose the Right Tool #

Step 3: Migration Pattern #

Step 4: CI/CD Integration #

Step 5: Rotation Policy #

Best Practices #

Stay Updated

Incident Postmortems That Actually Prevent Repeat Failures

Monitoring That Actually Helps On-Call: Alerts, Dashboards, and Runbooks

More from Cloud

AWS Cost Audit: 7 Things We Found Wasting Money Every Month

RDS Restore Drills for Busy Teams: The Recovery Workflow That Surfaced Real Gaps

Multi-Cluster Traffic Routing Strategies: A Pragmatic Rollout Pattern for Growing SaaS Teams

AWS Cost Audit: 7 Things We Found Wasting Money Every Month

RDS Restore Drills for Busy Teams: The Recovery Workflow That Surfaced Real Gaps

Multi-Cluster Traffic Routing Strategies: A Pragmatic Rollout Pattern for Growing SaaS Teams

Cloud Disaster Recovery Runbook Design: How Small Teams Rehearse Multi-Region Failover

Monitoring That Actually Helps On-Call: Alerts, Dashboards, and Runbooks

Incident Postmortems That Actually Prevent Repeat Failures

About Kiril urbonas

Secrets Management in Practice: From .env Files to Vault

Where We Started#

Step 1: Audit and Inventory#

Step 2: Choose the Right Tool#

Step 3: Migration Pattern#

Step 4: CI/CD Integration#

Step 5: Rotation Policy#

Best Practices#

Stay Updated

Incident Postmortems That Actually Prevent Repeat Failures

Monitoring That Actually Helps On-Call: Alerts, Dashboards, and Runbooks

More from Cloud

AWS Cost Audit: 7 Things We Found Wasting Money Every Month

RDS Restore Drills for Busy Teams: The Recovery Workflow That Surfaced Real Gaps

Multi-Cluster Traffic Routing Strategies: A Pragmatic Rollout Pattern for Growing SaaS Teams

About Kiril urbonas

Where We Started #

Step 1: Audit and Inventory #

Step 2: Choose the Right Tool #

Step 3: Migration Pattern #

Step 4: CI/CD Integration #

Step 5: Rotation Policy #

Best Practices #