Env vars are fine for reads at startup. They fail when you need rotation without restart, audit trail of who read what, or short-lived credentials (database tokens that expire in 1 hour). Vault/KMS gives you all three. For a single-service MVP, env is fine; the day you rotate, switch.
Static secrets (DB URL, JWT key): env in dev, KMS in prod.
Dynamic secrets (DB role that’s minted per pod, expires 1h): KMS only, but don’t DIY.
Audit trail: KMS logs every secret read; env vars don’t.
app -> env / KMS -> secret
KMS choice enables rotation + audit; env only if static reads suffice
Use env for static secrets; vault when you need rotation, audit, or short-lived creds.