A development team maintains several automated CI/CD scripts that call a cloud-hosted REST API using an API key. The key is currently stored in a plain-text configuration file committed to the repository, and security has warned that a leak could let attackers reuse the key. The team needs a solution that sharply reduces that risk while still letting the scripts run unattended. Which approach best meets this goal?
Modify the scripts to prompt for a developer password each time they run
Export the key as an environment variable on every build agent
Base64-encode the key and commit it to a private repository
Store the key in a secrets-management service that automatically rotates it and enforces least-privilege access
Placing the API key in a dedicated secrets-management service (for example, AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault) keeps the credential encrypted, restricts access through granular IAM policies, and can rotate or issue short-lived tokens automatically. If the key is exposed, rotation quickly invalidates it and limits the attack window. Environment variables and encoded files still expose the secret through logs, process listings, or version control, and interactive logins break automation and provide no rotation or fine-grained control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a secrets-management service?
Open an interactive chat with Bash
Why is it important to use IAM policies with secrets-management services?