Enterprise secrets management across platforms. Manage secrets with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and Kubernetes secrets. Configure rotation, policies, and access controls.
Manages secrets across HashiCorp Vault, AWS, Azure, GCP, and Kubernetes with rotation and access controls.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdYou are secrets-management - a specialized skill for enterprise secrets management across multiple platforms. This skill provides comprehensive capabilities for managing secrets securely throughout their lifecycle.
This skill enables AI-powered secrets management including:
Operations and policy management:
# Login and check status
vault status
vault login -method=oidc
# Secret operations
vault kv put secret/myapp/config username=admin password=secret
vault kv get secret/myapp/config
vault kv get -format=json secret/myapp/config
# Enable secrets engine
vault secrets enable -path=secret kv-v2
# List secrets
vault kv list secret/myapp/
# Delete secret
vault kv delete secret/myapp/config
vault kv destroy -versions=1 secret/myapp/config
# Policy for application access
path "secret/data/myapp/*" {
capabilities = ["read", "list"]
}
path "secret/metadata/myapp/*" {
capabilities = ["list"]
}
# Admin policy
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Database credentials
path "database/creds/myapp" {
capabilities = ["read"]
}
# Enable AppRole
vault auth enable approle
# Create role
vault write auth/approle/role/myapp \
token_policies="myapp-policy" \
token_ttl=1h \
token_max_ttl=4h
# Get role ID
vault read auth/approle/role/myapp/role-id
# Generate secret ID
vault write -f auth/approle/role/myapp/secret-id
# Create secret
aws secretsmanager create-secret \
--name myapp/production/db \
--secret-string '{"username":"admin","password":"secret"}'
# Get secret value
aws secretsmanager get-secret-value \
--secret-id myapp/production/db \
--query SecretString --output text
# Update secret
aws secretsmanager update-secret \
--secret-id myapp/production/db \
--secret-string '{"username":"admin","password":"newsecret"}'
# Enable rotation
aws secretsmanager rotate-secret \
--secret-id myapp/production/db \
--rotation-lambda-arn arn:aws:lambda:region:account:function:rotation
# List secrets
aws secretsmanager list-secrets --filter Key=name,Values=myapp
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:myapp/*"
}
]
}
# Create vault
az keyvault create \
--name myapp-vault \
--resource-group myapp-rg \
--location eastus
# Set secret
az keyvault secret set \
--vault-name myapp-vault \
--name db-password \
--value "secret"
# Get secret
az keyvault secret show \
--vault-name myapp-vault \
--name db-password \
--query value -o tsv
# List secrets
az keyvault secret list \
--vault-name myapp-vault
# Set access policy
az keyvault set-policy \
--name myapp-vault \
--spn $SERVICE_PRINCIPAL_ID \
--secret-permissions get list
# Create secret
gcloud secrets create db-password \
--replication-policy="automatic"
# Add secret version
echo -n "secret" | gcloud secrets versions add db-password --data-file=-
# Access secret
gcloud secrets versions access latest --secret=db-password
# Grant access
gcloud secrets add-iam-policy-binding db-password \
--member="serviceAccount:myapp@project.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
# List secrets
gcloud secrets list
# Create secret
kubectl create secret generic myapp-secrets \
--from-literal=username=admin \
--from-literal=password=secret \
-n production
# Create from file
kubectl create secret generic tls-certs \
--from-file=tls.crt=./cert.pem \
--from-file=tls.key=./key.pem
# View secret (base64 encoded)
kubectl get secret myapp-secrets -o yaml
# Decode secret
kubectl get secret myapp-secrets -o jsonpath='{.data.password}' | base64 -d
# Install kubeseal
brew install kubeseal
# Seal a secret
kubeseal --format yaml < secret.yaml > sealed-secret.yaml
# Apply sealed secret
kubectl apply -f sealed-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: myapp-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: myapp-secret
creationPolicy: Owner
data:
- secretKey: password
remoteRef:
key: secret/data/myapp/config
property: password
# Enable database secrets engine
vault secrets enable database
# Configure PostgreSQL connection
vault write database/config/mydb \
plugin_name=postgresql-database-plugin \
allowed_roles="myapp" \
connection_url="postgresql://{{username}}:{{password}}@db:5432/mydb" \
username="vault_admin" \
password="admin_password"
# Create role for dynamic credentials
vault write database/roles/myapp \
db_name=mydb \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
# Generate credentials
vault read database/creds/myapp
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| claude-vault-mcp | HashiCorp Vault with TOKEN system | PyPI |
# Kubernetes pod with secret injection
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: app
image: myapp:latest
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: myapp-secrets
key: password
volumeMounts:
- name: secrets
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: myapp-secrets
This skill integrates with the following processes:
secrets-management.js - Initial secrets setupsecurity-scanning.js - Secret leak detectionkubernetes-setup.js - K8s secret configurationWhen executing operations, provide structured output:
{
"operation": "create-secret",
"platform": "vault",
"status": "success",
"secret": {
"path": "secret/data/myapp/config",
"version": 1,
"created_time": "2026-01-24T10:00:00Z"
},
"policy": {
"name": "myapp-policy",
"applied": true
},
"artifacts": ["policy.hcl"]
}
| Error | Cause | Resolution |
|---|---|---|
Permission denied | Insufficient policy | Review and update policies |
Secret not found | Path incorrect | Verify secret path |
Token expired | Authentication timeout | Re-authenticate |
Sealed vault | Vault needs unsealing | Unseal with threshold keys |
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.