Adopt
AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager are the native secrets management services for their respective clouds. They solve the "where to store secrets" problem — OWASP's MCP Top 10 recommends them as the backend for API keys used by AI agents.
Why It Matters for AI-Assisted Development
AI agents need API keys, database credentials, and service tokens to operate. Cloud secret managers provide the foundation:
- AWS Secrets Manager: KMS encryption, Lambda-based rotation for RDS/Redshift/DocumentDB, CloudTrail audit logging. $0.40/secret/month + $0.05/10K API calls.
- Azure Key Vault: HSM-backed (FIPS 140-2 Level 2), manages keys + certs + secrets, Azure AD integration, Event Grid-triggered rotation.
- Google Cloud Secret Manager: AES-256 encryption with CMEK option, secret versioning, REST + gRPC APIs.
Strengths
- Native integration with their respective cloud ecosystems
- Encryption at rest and in transit
- Automatic rotation capabilities
- Fine-grained access control via IAM
- Pay-as-you-go pricing
Limitations
- Solve "where to store secrets" but not "how to prevent agents from leaking them"
- Each is locked to its respective cloud
- No AI-specific features for preventing contextual leakage
- Azure Key Vault has the steepest learning curve of the three
Pricing
All three use pay-as-you-go models. AWS: $0.40/secret/month. Azure and GCP: competitive, operation-based pricing.