AnySecret.io — Intelligent Secret & Config Management

secrets management devops multi-cloud cli security cost-optimization
GitHub Demo

1. Introduction

Managing secrets and configuration across environments is usually painful: multiple cloud-specific APIs, vendor lock-in, brittle CI/CD flows, and rising costs when everything is treated as a secret. In practice, most keys are parameters (cheap), while a subset are true secrets (secure).

AnySecret is a CLI-first, open source project that fixes this with automatic classification and multi-cloud routing. It keeps sensitive values secure where it matters and places non-sensitive configuration in low-cost storage—without changing how your applications work.

2. Problem → Approach

  • Vendor lock-in and divergent provider APIs
  • Treating every key as a secret (higher cost, more friction)
  • Teams mixing environments; ad‑hoc .env handling
  • Complex migrations and inconsistent CI/CD patterns

The AnySecret approach

  • Auto‑classify keys (secret vs parameter) via patterns and value hints
  • Route to appropriate backends (Secret Manager vs cloud storage/ConfigMaps)
  • Offer a universal CLI and a unified configuration model
  • Emphasize portability, security, and cost reduction (often 40× savings)

Secret and Config Management

3. Architecture overview

  • ConfigManager (unified interface): single surface for get, set, delete, list, prefix ops; auto‑routes between secrets and parameters
  • Providers: AWS (Secrets Manager + S3/Parameter Store), GCP (Secret Manager + GCS), Azure (Key Vault + Blob), Kubernetes (Secrets/ConfigMaps), HashiCorp Vault, local files
  • Classification engine: pattern‑based and value‑aware (e.g., *_PASSWORD, *_HOST, sk_, -----BEGIN), with manual overrides --hint secret|parameter
  • CLI (primary interface): end‑to‑end workflows (profiles, provider setup, bulk import/export, analysis)

4. Capabilities (highlights)

  • Universal CLI, consistent across clouds and local
  • Smart classification with robust defaults and custom patterns
  • Profiles for environment separation (dev/staging/prod/teams)
  • Bulk ops for .env, JSON, YAML; tree/search/describe
  • Security first: secrets masked in terminal; real in files; CI safeguards
  • Health/validation: provider health, status, and configuration validation
  • Portability: migrate between providers without code changes

5. Quick start

# Install
pip install anysecret-io

# Create a local development profile
anysecret config profile-create local-dev

# Add configuration (auto-classified)
anysecret set DATABASE_PASSWORD "super_secret"   # → Secret Manager
anysecret set DATABASE_HOST "localhost"         # → Low-cost storage

# Export for your app (real values in file)
anysecret bulk export --output .env

Move to cloud when ready:

# Example: GCP
anysecret config profile-create production --provider gcp
anysecret config profile-use production
anysecret bulk import .env                 # auto-classified routing
anysecret providers health                 # verify setup

# CI/CD: store a base64 (or encrypted) profile and pull at deploy time
anysecret config profile-export production --base64 > prod.txt

6. Providers at a glance

ProviderSecretsParameters
AWSSecrets ManagerS3 or Parameter Store
GCPSecret ManagerGCS
AzureKey VaultBlob Storage
KubernetesSecretsConfigMaps
VaultKV v1/v2KV v1/v2
Local.env (incl. encrypted)JSON/YAML

Provider setup (auth, roles, options) is documented step‑by‑step in the official guides at docs.anysecret.io.

7. CLI essentials

7.1 Classification control

# See how keys would be classified
anysecret classify API_KEY         # → secret
anysecret classify DATABASE_HOST   # → parameter

# Override when needed
anysecret set PUBLIC_KEY "pk_test_123" --hint parameter
anysecret set LOG_TOKEN "token_123" --hint secret

# Show built-in patterns
anysecret patterns

7.2 Bulk import/export

# Import from various formats
anysecret bulk import .env
anysecret bulk import config.json --format json
anysecret bulk import settings.yaml --format yaml

# Safe export options
anysecret bulk export --parameters-only --output params.env
anysecret bulk export --format json --output config.json

# Full export (be careful; secrets end up in file)
CI=true anysecret bulk export --output .env.production

7.3 Read/Analyze

# Tree and search
anysecret read tree --prefix "api/" --depth 3
anysecret read search "database" --content

# Describe with metadata and history (where supported)
anysecret read describe API_KEY --metadata --history

8. Profiles & CI/CD

  • Maintain separate profiles per environment; avoid mixing dev/prod
  • Export profile for CI/CD as base64 or encrypted
  • In pipelines, pull configuration just‑in‑time and clean up after use

GitHub Actions example:

- name: Export config with AnySecret
  env:
    ANYSECRET_PROFILE_DATA: ${{ secrets.ANYSECRET_PROFILE }}
    CI: true
  run: |
    pip install anysecret-io
    anysecret --profile-data "$ANYSECRET_PROFILE_DATA" \
      bulk export --output .env.production
    chmod 600 .env.production
    docker run --env-file .env.production myapp

9. Migration playbooks

9.1 From .env to cloud

anysecret config profile-create production --provider gcp
anysecret config profile-use production
anysecret bulk import production.env --dry-run  # preview
anysecret bulk import production.env            # execute
anysecret list --format json | jq '.summary'

9.2 Cloud → Cloud (AWS → GCP)

# Export from AWS
anysecret config profile-use aws-prod
anysecret bulk export --format json --output aws-config.json

# Import to GCP
anysecret config profile-use gcp-prod
anysecret bulk import aws-config.json --format json --dry-run
anysecret bulk import aws-config.json --format json

9.3 Hybrid & multi-cloud

# Primary GCP; fallback AWS
anysecret config profile-create primary --provider gcp
anysecret config profile-create fallback --provider aws

# Sync from primary to fallback (simple approach)
anysecret config profile-use primary
anysecret bulk export --format json --output /tmp/sync.json
anysecret config profile-use fallback
anysecret bulk import /tmp/sync.json --format json

10. Security & compliance (practices)

  • Secrets are masked in terminal; files receive real values
  • Prefer --parameters-only exports where possible
  • Use encrypted profile exports for sensitive pipelines
  • Rely on cloud‑native IAM/roles; avoid long‑lived static keys
  • Never commit secrets; scrub temporary files after use (e.g., shred)
# Encrypted profile export
anysecret config profile-export prod --encrypt > profile.enc

# In CI
export ANYSECRET_PROFILE_PASSPHRASE="$PASSPHRASE"
anysecret --profile-data "$(cat profile.enc)" --decrypt \
  bulk export --parameters-only --output .env

11. Cost optimization

Estimate savings quickly:

anysecret list --format json | jq -r '
  .summary as $s | 
  "Secrets: \($s.secrets) × $0.40 = $\($s.secrets * 0.40)\n" +
  "Params:  \($s.parameters) × $0.01 = $\($s.parameters * 0.01)\n" +
  "Total:   $\($s.secrets * 0.40 + $s.parameters * 0.01)\n" +
  "Traditional: $\(($s.secrets + $s.parameters) * 0.40)\n" +
  "Savings: $\((($s.secrets + $s.parameters) * 0.40) - ($s.secrets * 0.40 + $s.parameters * 0.01))"'

Common optimizations:

  • Reclassify obvious parameters: *_HOST, *_PORT, *_URL, *_TIMEOUT, LOG_*, *_MODE
  • Use prefixes (api/, db/, service/) for batch exports and audits

12. Real‑world scenarios

  • Solo dev: local‑only profiles, zero cloud cost; export .env for apps
  • Startup: dev → staging on cloud (cheap params, few secrets) → prod
  • Microservices: prefix by service; selective exports per service/env
  • Enterprise: encrypted profiles, RBAC/IAM, audits, DR via multi‑cloud

Examples (select):

# Microservice export by prefix
anysecret read get-env --prefix "auth/prod/" --output auth.env

# Feature flags (parameters)
anysecret set features/new_ui "true" --hint parameter
anysecret read get-env --prefix "features/" --output features.env

# Compose DB URL from parts
export $(anysecret read get-env --prefix "db/" | xargs)
DATABASE_URL="postgresql://$db_user:$db_password@$db_host:$db_port/$db_name"

13. Kubernetes patterns

  • Store parameters in ConfigMaps; secrets in Secrets
  • RBAC manifests and namespace scoping per environment
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
  namespace: prod
stringData:
  DATABASE_PASSWORD: super_secret
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
  namespace: prod
data:
  DATABASE_HOST: db.example.com
  LOG_LEVEL: info

14. Testing & quality

  • 200+ tests across core, CLI, and file providers (unit/CLI/integration)
  • CI via GitHub Actions; formatting (black, isort), typing (mypy), linting
  • Cloud provider integration tests (some require credentials)

15. Roadmap (selected)

  • Optional caching layer and fallback providers
  • Retry/circuit‑breaker strategy
  • Expanded SDK surface (beyond CLI‑first)
  • Deeper cost analysis (anysecret cost ...) and diffs/syncs

A companion chat interface (Ollama/Spaces) has been developed to teach AnySecret commands and patterns. Training/deployment details are covered in a separate article; it serves as a productivity aid for the project.

  • Website: https://anysecret.io
  • Docs: https://docs.anysecret.io
  • PyPI: https://pypi.org/project/anysecret-io
  • GitHub: https://github.com/anysecret-io/anysecret-lib