Status: Accepted
Date: 2026-01-25
Need to manage secrets securely, auditably, and with a developer-friendly interface.
- HashiCorp Vault (self-hosted)
- AWS Secrets Manager + External Secrets Operator
- Infisical (self-hosted)
- Sealed Secrets + Git
Adopt AWS Secrets Manager as storage, External Secrets Operator for sync, and custom Backstage plugin for UI with RBAC via Keycloak.
- AWS Secrets Manager: AWS-native, IAM/IRSA integration, automatic rotation, managed HA
- External Secrets Operator: industry standard, GitOps-friendly, multiple backends
- Backstage Plugin: centralizes developer experience, RBAC via existing Keycloak
- Avoids operational complexity of Vault (HA, unsealing, storage backend)
- Custom Backstage plugin development (~2-3 weeks)
- Additional AWS Secrets Manager cost (~$0.40/secret/month)
- AWS dependency (mitigated: ESO supports multiple backends)
helpdev/{env}/{region}/{domain}/{service}/{secret-type}