Skip to Content

When is a secret manager meaningfully better than env vars?

Category: Security & Compliance

Answer

Env vars are fine for reads at startup. They fail when you need rotation without restart, audit trail of who read what, or short-lived credentials (database tokens that expire in 1 hour). Vault/KMS gives you all three. For a single-service MVP, env is fine; the day you rotate, switch.

Concrete examples from the fca project context

Example 1

Static secrets (DB URL, JWT key): env in dev, KMS in prod.

Example 2

Dynamic secrets (DB role that’s minted per pod, expires 1h): KMS only, but don’t DIY.

Example 3

Audit trail: KMS logs every secret read; env vars don’t.

Data flow / flow chart

app -> env / KMS -> secret
  KMS choice enables rotation + audit; env only if static reads suffice

Takeaway

Use env for static secrets; vault when you need rotation, audit, or short-lived creds.