A little while back we wrote some experimental hooks to make use of Amazon’s Secrets Manager:
The thinking is that these would eventually replace the s3 secrets hooks that are currently part of the Elastic Stack.
The scope of the Secrets Manager hooks are much more limited. They are for credentials for the repository checkout, after which you’d use one of the other more configuration oriented secrets options like https://github.com/seek-oss/aws-sm-buildkite-plugin.
Another design concern that featured strongly was using a queue prefix in the secrets manager ARN’s, which allows access to secrets by queue to be easily established by prefix.
Keen to hear everyones thoughts on this approach!