CI/CD secrets are stored as encrypted files within the repository. While this provides basic protection, it introduces significant risks regarding secret rotation, visibility, and platform lock-in. This initiative aims to migrate to HashiCorp Vault Cloud to centralize secret management and decouple our credentials from the CI infrastructure.

Business Case & Benefits

• Moves from static encrypted files to a centralized, identity-based access model. This reduces the risk of secret leakage.

• Currently, tests are tethered to our CI infrastructure. Vault allows us to inject credentials into any cloud provider (AWS, Azure, GCP) dynamically, enabling us to run tests anywhere without manual setup.

• Provides a clear log of the users who accessed secrets, which is currently impossible with repo-based encryption.

Acceptance Criteria (Definition of Done)

• [ ] Vault Cloud instance is provisioned and integrated with our Identity Provider (IDP).

• [ ] All secrets are migrated from the gitlab repo to Vault.

• [ ] CI pipelines successfully pull secrets from Vault across at least two different cloud environments.

• [ ] Encrypted secret files are deleted from the plumbing master branch.

• [ ] Documentation is updated in the repo on how to request/add new secrets.