Secrets Vault Manager

Name: Secrets Vault Manager
Author: alirezarezvani

alirezarezvani/claude-skills

Pick and configure AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager with correct limits, rotation, and IAM patterns before shipping.

Overview

Secrets Vault Manager is an agent skill most often used in Ship (also Operate infra, Build integrations) that compares AWS, Azure, and GCP managed secret stores for production-ready secret handling.

Install

npx skills add https://github.com/alirezarezvani/claude-skills --skill secrets-vault-manager

What is this skill?

Feature matrix across AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
Documented max sizes, versioning, rotation, encryption, and audit differences
Decision guide: AWS for RDS rotation, Azure for certs, GCP cost notes
Pricing cues: e.g. AWS $0.40/secret/mo, Azure $0.03/10K ops, GCP $0.06/10K access
Compares 3 providers: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
AWS max secret size 64 KB; Azure secret 25 KB; GCP 64 KB per matrix

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 572 installs on skills.sh; 17.5k GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are about to ship but still stash secrets in flat files without knowing which cloud vault fits rotation, size limits, and audit requirements.

Who is it for?

Solo builders on AWS, Azure, or GCP who need a concise decision table before provisioning Secrets Manager, Key Vault, or Secret Manager.

Skip if: Local-only dev secrets with no cloud deploy, or HashiCorp Vault-only shops absent from this reference.

When should I use this skill?

User must select or justify a managed cloud secret store and needs limits, rotation, encryption, audit, and cost tradeoffs.

What do I get? / Deliverables

You leave with a provider-aligned shortlist and feature constraints so implementation skills can wire ARNs, vault URIs, and rotation policies confidently.

Provider recommendation aligned to workload constraints
Feature and cost comparison cited from the reference matrices

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Ship security is the canonical first shelf because secret storage decisions block safe launch and review gates. Security subphase matches comparing vault providers, encryption, audit, and rotation—not casual env var notes in local dev only.

Also useful

OperateInfrastructure & cost

Also useful

BuildIntegrations & version control

Where it fits

Example use

ShipSecurity

Compare max secret size and KMS options before moving production DATABASE_URL out of flat env files.

Example use

OperateInfrastructure & cost

Choose rotation approach (Lambda vs Functions) when RDS credentials must roll without redeploying the whole app.

Example use

BuildIntegrations & version control

Pick secret reference format (ARN vs vault URI) while wiring ECS task roles or Azure app settings.

How it compares

Reference decision skill for managed cloud vaults—not a CLI that writes secrets or rotates them automatically.

Common Questions / FAQ

Who is secrets-vault-manager for?

Indie SaaS and API builders choosing where production secrets live across the big three clouds.

When should I use secrets-vault-manager?

In Ship security when locking down launch credentials; in Operate infra when planning rotation; in Build integrations when apps need ARN or vault URI wiring.

Is secrets-vault-manager safe to install?

It is documentation-only with no runtime hooks; still review the Security Audits panel on this page and never paste live secret values into agent chats.

SKILL.md

READMESKILL.md - Secrets Vault Manager

# Cloud Secret Store Reference

## Provider Comparison

### Feature Matrix

| Feature | AWS Secrets Manager | Azure Key Vault | GCP Secret Manager |
|---------|--------------------|-----------------|--------------------|
| **Secret types** | String, binary | Secrets, keys, certificates | String, binary |
| **Max secret size** | 64 KB | 25 KB (secret), 200 KB (cert) | 64 KB |
| **Versioning** | Automatic (all versions) | Manual enable per secret | Automatic |
| **Rotation** | Built-in Lambda rotation | Custom via Functions/Logic Apps | Custom via Cloud Functions |
| **Encryption** | AWS KMS (default or CMK) | HSM-backed (FIPS 140-2 L2) | Google-managed or CMEK |
| **Cross-region** | Replication to multiple regions | Geo-redundant by SKU | Replication supported |
| **Access control** | IAM + resource-based policies | RBAC + access policies | IAM bindings |
| **Audit** | CloudTrail | Azure Monitor + Diagnostics | Cloud Audit Logs |
| **Secret references** | ARN | Vault URI + secret name | Resource name |
| **Cost model** | $0.40/secret/mo + $0.05/10K calls | $0.03/10K ops (Standard) | $0.06/10K access ops |
| **Free tier** | No | No | 6 active versions free |

### Decision Guide

**Choose AWS Secrets Manager when:**
- Fully on AWS
- Need native RDS/Aurora/Redshift rotation
- Using ECS/EKS with native AWS IAM integration
- Cross-account secret sharing via resource policies

**Choose Azure Key Vault when:**
- Azure-primary workloads
- Certificate lifecycle management is critical (built-in CA integration)
- Need HSM-backed key protection (Premium SKU)
- Azure AD conditional access integration required

**Choose GCP Secret Manager when:**
- GCP-primary workloads
- Using GKE with Workload Identity
- Want simplest API surface (few concepts, fast to integrate)
- Cost-sensitive (generous free tier)

**Choose HashiCorp Vault when:**
- Multi-cloud or hybrid environments
- Dynamic secrets (database, cloud IAM, SSH) are primary use case
- Need transit encryption, PKI, or SSH CA
- Regulatory requirement for self-hosted secret management

## AWS Secrets Manager

### Access Patterns

```python
import boto3
import json
from botocore.exceptions import ClientError

def get_secret(secret_name, region="us-east-1"):
    """Retrieve secret from AWS Secrets Manager."""
    client = boto3.client("secretsmanager", region_name=region)
    try:
        response = client.get_secret_value(SecretId=secret_name)
    except ClientError as e:
        code = e.response["Error"]["Code"]
        if code == "ResourceNotFoundException":
            raise ValueError(f"Secret {secret_name} not found")
        elif code == "DecryptionFailureException":
            raise RuntimeError("KMS decryption failed — check key permissions")
        raise
    if "SecretString" in response:
        return json.loads(response["SecretString"])
    return response["SecretBinary"]
```

### Rotation with Lambda

```python
# rotation_lambda.py — skeleton for custom rotation
def lambda_handler(event, context):
    secret_id = event["SecretId"]
    step = event["Step"]
    token = event["ClientRequestToken"]
    client = boto3.client("secretsmanager")

    if step == "createSecret":
        # Generate new credentials
        new_password = generate_password()
        client.put_secret_value(
            SecretId=secret_id,
            ClientRequestToken=token,
            SecretString=json.dumps({"password": new_password}),
            VersionStages=["AWSPENDING"],
        )
    elif step == "setSecret":
        # Apply new credentials to the target service
        pending = get_secret_version(client, secret_id, "AWSPENDING", token)
        apply_credentials(pending)
    elif step == "testSecret":
        # Verify new credentials work
        pending = get_secret_version(client, secret_id, "AWSPENDING", token)
        test_connection(pending)
    elif step == "finishSecret":
        # Mark AWSPENDING as AWSCURRENT
        client.update_secret_version_stage(
            SecretId=secret_id,

What is this skill?

Feature matrix across AWS Secrets Manager, Azure Key Vault, GCP Secret Manager

Documented max sizes, versioning, rotation, encryption, and audit differences

Decision guide: AWS for RDS rotation, Azure for certs, GCP cost notes

Pricing cues: e.g. AWS $0.40/secret/mo, Azure $0.03/10K ops, GCP $0.06/10K access

Compares 3 providers: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager

AWS max secret size 64 KB; Azure secret 25 KB; GCP 64 KB per matrix

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 572 installs on skills.sh; 17.5k GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

OperateInfrastructure & cost

Also useful

BuildIntegrations & version control

Where it fits

Example use

ShipSecurity

Compare max secret size and KMS options before moving production DATABASE_URL out of flat env files.

Example use

OperateInfrastructure & cost

Choose rotation approach (Lambda vs Functions) when RDS credentials must roll without redeploying the whole app.

Example use

BuildIntegrations & version control

Pick secret reference format (ARN vs vault URI) while wiring ECS task roles or Azure app settings.

SKILL.md

READMESKILL.md - Secrets Vault Manager

# Cloud Secret Store Reference

## Provider Comparison

### Feature Matrix

| Feature | AWS Secrets Manager | Azure Key Vault | GCP Secret Manager |
|---------|--------------------|-----------------|--------------------|
| **Secret types** | String, binary | Secrets, keys, certificates | String, binary |
| **Max secret size** | 64 KB | 25 KB (secret), 200 KB (cert) | 64 KB |
| **Versioning** | Automatic (all versions) | Manual enable per secret | Automatic |
| **Rotation** | Built-in Lambda rotation | Custom via Functions/Logic Apps | Custom via Cloud Functions |
| **Encryption** | AWS KMS (default or CMK) | HSM-backed (FIPS 140-2 L2) | Google-managed or CMEK |
| **Cross-region** | Replication to multiple regions | Geo-redundant by SKU | Replication supported |
| **Access control** | IAM + resource-based policies | RBAC + access policies | IAM bindings |
| **Audit** | CloudTrail | Azure Monitor + Diagnostics | Cloud Audit Logs |
| **Secret references** | ARN | Vault URI + secret name | Resource name |
| **Cost model** | $0.40/secret/mo + $0.05/10K calls | $0.03/10K ops (Standard) | $0.06/10K access ops |
| **Free tier** | No | No | 6 active versions free |

### Decision Guide

**Choose AWS Secrets Manager when:**
- Fully on AWS
- Need native RDS/Aurora/Redshift rotation
- Using ECS/EKS with native AWS IAM integration
- Cross-account secret sharing via resource policies

**Choose Azure Key Vault when:**
- Azure-primary workloads
- Certificate lifecycle management is critical (built-in CA integration)
- Need HSM-backed key protection (Premium SKU)
- Azure AD conditional access integration required

**Choose GCP Secret Manager when:**
- GCP-primary workloads
- Using GKE with Workload Identity
- Want simplest API surface (few concepts, fast to integrate)
- Cost-sensitive (generous free tier)

**Choose HashiCorp Vault when:**
- Multi-cloud or hybrid environments
- Dynamic secrets (database, cloud IAM, SSH) are primary use case
- Need transit encryption, PKI, or SSH CA
- Regulatory requirement for self-hosted secret management

## AWS Secrets Manager

### Access Patterns

```python
import boto3
import json
from botocore.exceptions import ClientError

def get_secret(secret_name, region="us-east-1"):
    """Retrieve secret from AWS Secrets Manager."""
    client = boto3.client("secretsmanager", region_name=region)
    try:
        response = client.get_secret_value(SecretId=secret_name)
    except ClientError as e:
        code = e.response["Error"]["Code"]
        if code == "ResourceNotFoundException":
            raise ValueError(f"Secret {secret_name} not found")
        elif code == "DecryptionFailureException":
            raise RuntimeError("KMS decryption failed — check key permissions")
        raise
    if "SecretString" in response:
        return json.loads(response["SecretString"])
    return response["SecretBinary"]
```

### Rotation with Lambda

```python
# rotation_lambda.py — skeleton for custom rotation
def lambda_handler(event, context):
    secret_id = event["SecretId"]
    step = event["Step"]
    token = event["ClientRequestToken"]
    client = boto3.client("secretsmanager")

    if step == "createSecret":
        # Generate new credentials
        new_password = generate_password()
        client.put_secret_value(
            SecretId=secret_id,
            ClientRequestToken=token,
            SecretString=json.dumps({"password": new_password}),
            VersionStages=["AWSPENDING"],
        )
    elif step == "setSecret":
        # Apply new credentials to the target service
        pending = get_secret_version(client, secret_id, "AWSPENDING", token)
        apply_credentials(pending)
    elif step == "testSecret":
        # Verify new credentials work
        pending = get_secret_version(client, secret_id, "AWSPENDING", token)
        test_connection(pending)
    elif step == "finishSecret":
        # Mark AWSPENDING as AWSCURRENT
        client.update_secret_version_stage(
            SecretId=secret_id,

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is secrets-vault-manager for?

When should I use secrets-vault-manager?

Is secrets-vault-manager safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is secrets-vault-manager for?

When should I use secrets-vault-manager?

Is secrets-vault-manager safe to install?

SKILL.md