Secrets management

Aucert uses a layered secrets management approach. No secrets are ever stored in code, Terraform files, or version control.

Secret storage layers

Layer	Technology	What it stores
Cloud	Azure Key Vault (aucertdev-kv-41e0x5)	Database passwords, Redis auth, Storage keys, Cloudflare tokens
Cluster	Kubernetes Secrets	Service-to-service credentials, TLS certs
Application	Astra Token Vault (AES-256-GCM)	Agent platform tokens (GitHub PATs, Plane API keys)
CI/CD	GitHub Secrets	Service Principal credentials, API tokens

Access patterns

Local development

az login  # Interactive auth, no credentials on disk

Developers authenticate with az login and use their own Azure IAM permissions. No shared credentials.

Cluster workloads

AKS uses Workload Identity (OIDC) to access Key Vault. Pods never hold static credentials — they exchange ephemeral tokens.

Agent credentials

Agents get their platform tokens from Astra's Token Vault via API. Tokens are:

• Encrypted at rest (AES-256-GCM, master key from K8s secret)
• Scoped to minimum permissions
• Tracked with expiration dates and audit logs

Hard rules

1. Never store secrets in code or Terraform files
2. Never commit .env files (.gitignore blocks them)
3. Never log secrets — even in debug mode
4. Always use Key Vault references, not literal values
5. Always rotate compromised credentials immediately

What's next

• Cloudflare setup — Access control and tunnels
• Azure topology — Full resource inventory