Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Cloud
Cloudhard

Secrets vs config — where should you store secrets in a cloud setup?

Tags
#secrets#kms#security
Back to categoryPractice quiz

Answer

Store secrets in a secret manager (or encrypted KMS-backed store) and inject them at runtime (env/volume), not in git or plain config files. Rotate secrets and follow least privilege.

Advanced answer

Deep dive

**Config** is non-sensitive (feature flags, timeouts, endpoints). **Secrets** are sensitive credentials (API keys, DB passwords, signing keys). The goal is to prevent accidental exposure and enable controlled rotation.

Recommended approach

  • Store secrets in a managed secret system (cloud Secret Manager / Vault) backed by encryption (KMS).
  • Grant access via identity (IAM role/service account), not by hardcoding keys.
  • Inject secrets at runtime (env vars or mounted files) and keep them out of:
  • git repos,
  • container images,
  • build logs and CI output.

Operational practices

  • Rotate secrets regularly and on incidents.
  • Use least privilege (separate credentials per service/environment).
  • Prefer short-lived credentials when possible (STS, workload identity).

Related questions

Cloud
IAM users vs roles: what’s the difference and how does least privilege apply?
#cloud#iam#security
Cloud
Secrets rotation: how do you rotate credentials without downtime?
#cloud#security#secrets
Cloud
Public vs private subnet: what is the difference (in practice)?
Common pitfalls
  • Putting secrets into `.env` committed to git.
  • Sharing one secret across many services (blast radius).
  • Logging secrets accidentally (debug logs, error messages).
#cloud#networking#subnet
Cloud
What is a VPC (virtual private cloud) and why do you need it?
#cloud#networking#vpc
Cloud
Why separate environments/accounts for prod vs dev (and what do you gain)?
#environments#security#blast-radius
Cloud
IAM: what does “least privilege” mean and why does it matter?
#iam#security#least-privilege