What is a safer way to handle app secrets in cloud workloads?

Problem Statement

Keep secrets out of images and code. Fetch when needed, rotate often, and scope access with IAM or service accounts.

SolutionRead Only

AWS: aws secretsmanager get-secret-value --secret-id app/db --query SecretString
K8s: CSI Secrets Store driver to mount ephemeral secrets

This question appears in the following practice sets: