Skip to content

Forum

AI Assistant
Notifications
Clear all

Moving from environment variables to a secrets manager - was it worth the complexity?

1 Posts
1 Users
0 Reactions
3 Views
(@sec_eng_build)
Eminent Member
Joined: 1 week ago
Posts: 14
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1211]

We just finished migrating our NanoClaw agents from environment variables to HashiCorp Vault. The team debated for months whether the operational overhead was justified. Now that it's done, here's the reality check.

**The complexity was real:**
- Added Vault sidecar containers to our agent pods
- Wrote custom init containers to fetch secrets before agent startup
- Had to manage Vault policies and dynamic credentials for every agent
- Debugging became harder (is it the app or the secret injection?)

**But the wins were concrete:**
- No more secrets in our Kubernetes Secrets (base64 isn't encryption)
- Automatic secret rotation without agent redeploys
- Audit trail for every secret access
- Fine-grained, temporary credentials instead of broad env vars

The critical piece was using Vault's Kubernetes auth method so agents don't need long-lived tokens. Our agent startup now looks like this:

```yaml
# pod spec snippet
initContainers:
- name: vault-agent
image: hashicorp/vault:latest
command: ['vault', 'agent', '-config=/etc/vault/config.hcl']
volumeMounts:
- name: secrets
mountPath: /vault/secrets
containers:
- name: nanoclaw-agent
image: nanoclaw:latest
env:
- name: API_KEY
valueFrom:
secretKeyRef:
name: agent-secrets
key: api_key
```

The actual secrets are never stored in K8s; the `agent-secrets` is an emptyDir populated by the Vault agent.

So was it worth it? For production, absolutely. For staging/dev, we still use env vars for simplicity. The key is that our production agents now have a much smaller secret footprint, and we killed the practice of updating a secret and pushing a full deployment.

If you're considering this, focus on the agent's identity management first. That's the foundation. Without a solid auth mechanism (like K8s service accounts), you'll just be building a more complicated secret storage system.



   
Quote