As soon as developers have access to the production credentials it's game over. Auditability is gone. Passwords end-up being stored in various password stores and plain files because it's convenient. Developers connect to the production system and start doing live changes.
Hashicorp Vault is more difficult to put in place but it does the right thing. With it's custom backend it can generate temporary tokens, for example to access the database. Those token are short-lived and part of the audit log.
With Torus, you can use our fine grained access controls to model exactly how your organization divvies up access and responsibilities. You can give a team (users or machines) access to everything, a specific environment, or even a specific service instance within an environment.
Only users or machines with explicit access can retrieve the encrypted secrets from our servers and they are never written to disk in plain-text.
With our worklog(1) feature, we make it really easy to rotate secrets when a team member leaves, commits them to git by accident, or a machine is compromised by listing out every secret they could access cryptographically.
For small teams and deployments, we want to make it easy for them to keep their secrets out of git without having to securely manage and deploy heavier tooling such as Vault or Keywhiz.
Do you know any good resources on this topic that can be easily picked up by small teams? Most resources I've seen assume you have access to huge clusters of hardware and plenty of people to setup and maintain everything. But what if you're bootstraping a project with some friends?
Heck, how do people manage their personal credentials and secrets? I have a few computers, and I usually copy over a few PGP keys, SSH keys, and API keys. For regular credentials, I use a password manager which syncs through a cloud data storage system.
One of the best sites I've found for learning about security-related topics is the NIST CSRC [0]. They cover a huge variety of topics, with varying levels of detail. I've found many of their publications to be very approachable. For example, they usually include a glossary of terms and acronyms, along with examples to help you understand the problem. Also, unlike what you find in many popular books or random online blogs, they actually cover varying edge-cases and discuss an example of what a real-world solution could do. I love that because it gives you a reasonable starting point for when you don't know any better. The only problem is that their content generally isn't written with personal usage or small teams in mind.
The idea is not new. Back in the 1980s I worked at a job where access to live production systems was tightly controlled and audited. Developers could get access, but passwords were short-lived and everything was logged.
Hashi Vault isn't that difficult to setup, especially for smaller setups, it's basically just a binary you run, with the file backend. You still get the auditing goodness, etc. Otherwise I agree with what else you said.
Hashicorp Vault is more difficult to put in place but it does the right thing. With it's custom backend it can generate temporary tokens, for example to access the database. Those token are short-lived and part of the audit log.