Why Secret Managers Don't Solve the API Key Problem

Secret managers solve a real and important problem: keeping credentials out of source code and centralising secret lifecycle management. Before they existed, the industry standard was hardcoded credentials, .env files committed to git, and shared credentials on Slack. Secret managers are a massive improvement over that baseline.

The pattern they enable is:

1. Developer stores OPENAI_API_KEY=sk-proj-real... in Vault/AWS SM/Doppler
2. At deploy time, CI pipeline fetches the secret via the secret manager API
3. Secret is injected as an environment variable into the running container
4. Application reads process.env.OPENAI_API_KEY at runtime

This is better than keeping secrets in source code. But it does not eliminate the real credential from the deployment environment - it just centralises where the credential is fetched from before landing in an environment variable.

The fundamental limitation is this: secret managers inject the real credential into your process. The real key ends up in memory, in process environment space, potentially in logs if something crashes, and definitely in the CI pipeline log if your deployment system echos environment variables.

The real credential is still touching your infrastructure. It just arrives via a more controlled channel than a hardcoded string. The risk surface narrows, but it does not disappear.

Vault is an outstanding tool for enterprises managing hundreds of secrets across complex infrastructure. Dynamic secrets, lease management, and audit logging make it one of the most capable secret backends available.

What Vault cannot do: it cannot intercept an API request made with a real credential and validate that request against an origin policy. Once Vault hands the credential to a process, Vault's job is done. If that process is compromised, the credential is compromised.

Vault is excellent at the “how do I store and distribute secrets” problem. It does not address the “how do I make the credential itself worthless if exfiltrated” problem.

AWS Secrets Manager adds automatic rotation for certain credential types, which is genuinely valuable. Shorter-lived credentials reduce the blast radius of a leak because an old key becomes invalid quickly.

But automatic rotation does not help when the currently-valid credential is the one that was exfiltrated. The 8-minute exploit window is shorter than any rotation interval in practice. And rotation solves the “minimize damage” problem - it does not solve the “prevent the credential from being usable outside your systems” problem.

Doppler, Infisical, and similar developer-focused tools solve the developer experience problem well - syncing secrets across environments, managing access control per team, integrating with CI systems. The DX is much better than Vault for smaller teams.

The security model is the same, however: the tool fetches the real credential and injects it into your process. The convenience is higher; the fundamental exposure is the same.

Secret managers and edge proxies are complementary, not competing. The right architecture uses both: