This set builds vocabulary for centralized secrets storage, access control, and rotation practices.
0 / 5 completed
1 / 5
At standup, a dev mentions storing an API key in a centralized service that injects it into CI jobs instead of hardcoding it in a config file. What is this practice called?
A secrets manager like Bitwarden Secrets Manager stores sensitive values, such as API keys, in a centralized, access-controlled vault and injects them into pipelines or applications at runtime, avoiding the risk of hardcoding them into source files. This centralization makes rotation and auditing far easier than scattering secrets across repositories. It's a standard practice once a team has more than a handful of credentials to manage.
2 / 5
During a design review, the team wants every secret access to be logged with who accessed it and when. Which capability supports this?
Access audit logging records every read or modification of a stored secret, including the identity of the accessor and the timestamp, giving the team a trail to review during a security investigation. Without this, it's impossible to know who touched a credential before a suspected leak. This logging is a core expectation of any serious secrets management platform.
3 / 5
In a code review, a dev configures a machine account with a scoped token that can only read secrets for one specific project. What does this represent?
Least-privilege access control scopes a machine account's token to only the secrets it actually needs, like one project's credentials, rather than granting broad access that could be misused if the token were ever compromised. This scoping limits the blast radius of any single leaked credential. It's a foundational security principle applied specifically to automated, non-human identities.
4 / 5
An incident report shows a leaked API key remained valid for months because no one had a process to rotate it after a team member left. What practice would prevent this?
A rotation policy that triggers on events like offboarding, as well as on a regular schedule, ensures a credential doesn't remain valid indefinitely after someone who had access to it leaves the team. Without this, a leaked or orphaned key can sit exploitable for months. Building rotation into a defined process rather than leaving it ad hoc is a standard secrets management discipline.
5 / 5
During a PR review, a teammate asks why the team pays for a dedicated secrets manager instead of storing credentials in a shared password-protected spreadsheet. What is the reasoning?
A shared spreadsheet offers no meaningful access control, audit trail, or rotation tooling, meaning anyone with the file can see every credential and there's no record of who used what. A dedicated secrets manager solves all three problems natively and integrates directly into deployment pipelines. This tradeoff strongly favors dedicated tooling once a team manages more than a trivial number of secrets.