the current solutions for secrets management just seem to pass the buck, this problem is far from solved. Where you going to store your secrets that spin up your k8s environment? It eventually comes down to protecting your PGP key I think. Where do you store the secret for your admin account to AWS? Or to your domain name provider? Or bank account? 1password?
I suppose once your core infrastructure is up you just generate random passwords and store them in k8s for access when bringing up your infrastructure.
For passwords, you can use 1password or another password manager--that's pretty much solved at this point.
Secrets that are needed in server or development contexts are a lot trickier. There's a fundamental tension between making them widely and easily available (which makes development and ops easier), and restricting access (which is necessary for security). You'll also probably have multiple versions of the same secrets in different environments, have teams of developers that all need to stay in sync, etc. etc. Password management, as important as it is, has fewer moving pieces.
For AWS, locally, you store your secrets in your user directory which shouldn’t be anywhere near your hit repository. All of the SDKs will automatically find your keys there. When you run your code on either EC2, Lambda, or ECS (Docker), the SDK will automatically use the keys based on the attached role.
You should also require MFA to use your admin credentials either programmatically or on the web.
With AWS, you can even use an IAM role to connect to Mysql and Postgres so you don’t need to store a password for database access. You can use the SDK to generate a temporary password to the database.
I suppose once your core infrastructure is up you just generate random passwords and store them in k8s for access when bringing up your infrastructure.