S

Secrets Management

secrets-management

Securely store, manage, rotate, and integrate secrets (API keys, passwords, certificates) in CI/CD pipelines using Vault, AWS Secrets Manager, and native tools.

数据来源：ClawHub。在 ClawSkills 查看

761下载量

0收藏数

1浏览量

安装

选择你使用的 Agent

方法一：命令行安装（推荐）

关于 Secrets Management

Secrets Management

Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and native platform solutions.

Description

USE WHEN:

Storing API keys and credentials securely
Managing database passwords
Handling TLS certificates
Setting up automatic secret rotation
Implementing least-privilege access patterns
Integrating secrets into CI/CD pipelines (GitHub Actions, GitLab CI)
Deploying to Kubernetes with external secrets

DON'T USE WHEN:

Only need local dev values (use .env files not in git)
Cannot secure access to the secrets backend
Planning to hardcode secrets (don't do that)

---

Secrets Management Tools Comparison

| Tool | Best For | Key Features | |------|----------|--------------| | HashiCorp Vault | Enterprise, multi-cloud | Dynamic secrets, rotation, audit logging | | AWS Secrets Manager | AWS-native workloads | RDS integration, auto-rotation | | Azure Key Vault | Azure workloads | HSM-backed, certificate management | | Google Secret Manager | GCP workloads | Versioning, IAM integration | | GitHub Secrets | GitHub Actions | Simple, per-repo/org/environment | | GitLab CI Variables | GitLab CI | Protected branches, masked variables |

---

HashiCorp Vault

Setup

# Start Vault dev server
vault server -dev

# Set environment
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'

# Enable secrets engine
vault secrets enable -path=secret kv-v2

# Store secret
vault kv put secret/database/config username=admin password=secret

GitHub Actions with Vault

name: Deploy with Vault Secrets

on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Import Secrets from Vault
      uses: hashicorp/vault-action@v2
      with:
        url: https://vault.example.com:8200
        token: ${{ secrets.VAULT_TOKEN }}
        secrets: |
          secret/data/database username | DB_USERNAME ;
          secret/data/database password | DB_PASSWORD ;
          secret/data/api key | API_KEY

    - name: Use secrets
      run: |
        echo "Connecting to database as $DB_USERNAME"
        # Use $DB_PASSWORD, $API_KEY

GitLab CI with Vault

deploy:
  image: vault:latest
  before_script:
    - export VAULT_ADDR=https://vault.example.com:8200
    - export VAULT_TOKEN=$VAULT_TOKEN
    - apk add curl jq
  script:
    - |
      DB_PASSWORD=$(vault kv get -field=password secret/database/config)
      API_KEY=$(vault kv get -field=key secret/api/credentials)
      echo "Deploying with secrets..."

---

AWS Secrets Manager

Store Secret

aws secretsmanager create-secret \
  --name production/database/password \
  --secret-string "super-secret-password"

Retrieve in GitHub Actions

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-west-2

- name: Get secret from AWS
  run: |
    SECRET=$(aws secretsmanager get-secret-value \
      --secret-id production/database/password \
      --query SecretString \
      --output text)
    echo "::add-mask::$SECRET"
    echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV

- name: Use secret
  run: ./deploy.sh  # $DB_PASSWORD available

Terraform Integration

data "aws_secretsmanager_secret_version" "db_password" {
  secret_id = "production/database/password"
}

resource "aws_db_instance" "main" {
  allocated_storage    = 100
  engine              = "postgres"
  instance_class      = "db.t3.large"
  username            = "admin"
  password            = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}

---

Kubernetes: External Secrets Operator

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
  namespace: production
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "production"

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: database-credentials
    creationPolicy: Owner
  data:
  - secretKey: username
    remoteRef:
      key: database/config
      property: username
  - secretKey: password
    remoteRef:
      key: database/config
      property: password

---

Secret Rotation

Automated (AWS Lambda)

import boto3
import json

def lambda_handler(event, context):
    client = boto3.client('secretsmanager')

    # Get current secret
    response = client.get_secret_value(SecretId='my-secret')
    current_secret = json.loads(response['SecretString'])

    # Generate new password
    new_password = generate_strong_password()

    # Update database password
    update_database_password(new_password)

    # Update secret
    client.put_secret_value(
        SecretId='my-secret',
        SecretString=json.dumps({
            'username': current_secret['username'],
            'password': new_password
        })
    )

    return {'statusCode': 200}

Manual Rotation Process

Generate new secret
Update secret in secret store
Update applications to use new secret
Verify functionality
Revoke old secret

---

Secret Scanning

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

# Check for secrets with TruffleHog
docker run --rm -v "$(pwd):/repo" \
  trufflesecurity/trufflehog:latest \
  filesystem --directory=/repo

if [ $? -ne 0 ]; then
  echo "❌ Secret detected! Commit blocked."
  exit 1
fi

CI/CD Secret Scanning

secret-scan:
  stage: security
  image: trufflesecurity/trufflehog:latest
  script:
    - trufflehog filesystem .
  allow_failure: false

---

Best Practices

Never commit secrets to Git
Use different secrets per environment
Rotate secrets regularly (90 days max)
Implement least-privilege access
Enable audit logging
Use secret scanning (GitGuardian, TruffleHog)
Mask secrets in logs
Encrypt secrets at rest
Use short-lived tokens when possible
Document secret requirements

---

Related Skills

vulnerability-scanner - For detecting exposed secrets in code
api-security - For securing API credentials

Prompt 示例

安装 Secrets Management 后，可以对 AI 说这些话来触发它

U

Help me get started with Secrets Management

A

Explains what Secrets Management does, walks through the setup, and runs a quick demo based on your current project

U

Use Secrets Management to securely store, manage, rotate, and integrate secrets (API keys, pa...

A

Invokes Secrets Management with the right parameters and returns the result directly in the conversation

U

What can I do with Secrets Management in my developer & devops workflow?

A

Lists the top use cases for Secrets Management, with example commands for each scenario

常见问题

如何安装 Secrets Management？▾

将技能文件夹放到 ~/.claude/skills/secrets-management/ 目录（个人级，所有项目可用），或 .claude/skills/secrets-management/（项目级）。重启 AI 客户端后，用 /secrets-management 主动调用，或让 AI 根据上下文自动发现并使用。

Secrets Management 支持哪些 AI 平台？▾

Secrets Management 支持 Claude、Cursor、OpenClaw，可与这些 AI 平台无缝集成，扩展其能力。

Secrets Management 是免费的吗？▾

Secrets Management 可免费安装使用。请查阅仓库了解许可证信息。

Secrets Management 有什么功能？▾

Securely store, manage, rotate, and integrate secrets (API keys, passwords, certificates) in CI/CD pipelines using Vault, AWS Secrets Manager, and native tools.

Secrets Management 属于哪个分类？▾

Secrets Management 属于「Developer & DevOps」分类，该分类的技能帮助 AI 智能体在此领域执行专业任务。

使用场景

Getting Started with Secrets Management→Automate Developer & DevOps Workflows with Secrets Management→Team Collaboration with Secrets Management→

Secrets Management

安装

关于 Secrets Management

Secrets Management

Description

Secrets Management Tools Comparison

HashiCorp Vault

Setup

GitHub Actions with Vault

GitLab CI with Vault

AWS Secrets Manager

Store Secret

Retrieve in GitHub Actions

Terraform Integration

Kubernetes: External Secrets Operator

Secret Rotation

Automated (AWS Lambda)

Manual Rotation Process

Secret Scanning

Pre-commit Hook

CI/CD Secret Scanning

Best Practices

Related Skills

Prompt 示例

常见问题

使用场景

同类技能推荐

Github

Browser Use

Browser Automation

Playwright MCP