You might like varlock - it helps keep secrets out of plaintext by using plugins to pull from various backends (aws ssm, gcp, vault, 1pass, etc). Also has built in local encryption with shared team vaults coming soon.

Additionally provides pre commit scanning, log redaction, and much more.

▲

Sohcahtoa82 3 hours ago | parent [-]

But then you need creds to access AWS SSM, Vault, etc., and those end up getting stored the same way the actual creds you needed were being stored, and you're back at square one.

	▲	sneak 2 hours ago \| parent [-]
		Nah you can get machine creds automatically via the metadata service when running inside AWS. Nothing need be on disk.