Back to Registry
View Author Profile
Official Verified
Secrets Management
Skill by brandonwise
skill-install — Terminal
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/brandonwise/secrets-managementOr
Secrets Management
Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and native platform solutions.
Description
USE WHEN:
- Storing API keys and credentials securely
- Managing database passwords
- Handling TLS certificates
- Setting up automatic secret rotation
- Implementing least-privilege access patterns
- Integrating secrets into CI/CD pipelines (GitHub Actions, GitLab CI)
- Deploying to Kubernetes with external secrets
DON'T USE WHEN:
- Only need local dev values (use .env files not in git)
- Cannot secure access to the secrets backend
- Planning to hardcode secrets (don't do that)
Secrets Management Tools Comparison
| Tool | Best For | Key Features |
|---|---|---|
| HashiCorp Vault | Enterprise, multi-cloud | Dynamic secrets, rotation, audit logging |
| AWS Secrets Manager | AWS-native workloads | RDS integration, auto-rotation |
| Azure Key Vault | Azure workloads | HSM-backed, certificate management |
| Google Secret Manager | GCP workloads | Versioning, IAM integration |
| GitHub Secrets | GitHub Actions | Simple, per-repo/org/environment |
| GitLab CI Variables | GitLab CI | Protected branches, masked variables |
HashiCorp Vault
Setup
# Start Vault dev server
vault server -dev
# Set environment
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'
# Enable secrets engine
vault secrets enable -path=secret kv-v2
# Store secret
vault kv put secret/database/config username=admin password=secret
GitHub Actions with Vault
name: Deploy with Vault Secrets
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Import Secrets from Vault
uses: hashicorp/vault-action@v2
with:
url: https://vault.example.com:8200
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/data/database username | DB_USERNAME ;
secret/data/database password | DB_PASSWORD ;
secret/data/api key | API_KEY
- name: Use secrets
run: |
echo "Connecting to database as $DB_USERNAME"
# Use $DB_PASSWORD, $API_KEY
GitLab CI with Vault
deploy:
image: vault:latest
before_script:
- export VAULT_ADDR=https://vault.example.com:8200
- export VAULT_TOKEN=$VAULT_TOKEN
- apk add curl jq
script:
- |
DB_PASSWORD=$(vault kv get -field=password secret/database/config)
API_KEY=$(vault kv get -field=key secret/api/credentials)
echo "Deploying with secrets..."
AWS Secrets Manager
Store Secret
aws secretsmanager create-secret \
--name production/database/password \
--secret-string "super-secret-password"
Retrieve in GitHub Actions
Metadata
AI Skill Finder
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skill Add to Configuration
Paste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-brandonwise-secrets-management": {
"enabled": true,
"auto_update": true
}
}
}Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.