← statichum.studio

April 21, 2026

Zero-Infrastructure Dynamic Secrets for Small Teams Priced Out of Vault

saas real project •• multiple requests

Secrets management in 2026 is still a mess at the small-team tier. Teams commit .env to private Git, base64-encode Kubernetes secrets (which is not encryption), and share credentials in Bitwarden folders nobody audits. HashiCorp Vault solves it but is 'operationally heavy' — teams spend months configuring before protecting a single secret. Cloud-native stores lock you in and leave rotation as homework. OIDC for GitHub Actions eliminates long-lived tokens but is still 'underused' because the plumbing is gnarly. Gap: a Tailscale-of-secrets that ships dynamic short-lived creds and OIDC-to-cloud out of the box, no Raft cluster required.

builder note

Skip the self-hosted dream for v1. Run it SaaS, ship 'install our GitHub Action, we rotate your Postgres creds every PR' as the hero flow. The audience is the 5-to-30-engineer company that got a SOC 2 finding this quarter, not the Fortune 500 that already owns Vault. Monetize per-seat, not per-secret.

landscape (6 existing solutions)

The primitives exist (BoringSSL, OIDC, DB credential brokers, short-lived STS). The consumer-grade product bundle — 'install this one thing, get dynamic DB creds + OIDC to your cloud + GitHub Actions short-lived tokens, no cluster required' — doesn't. The small-team market is loud and underserved; the big players keep solving it by shipping more complexity.

HashiCorp Vault The reference implementation, plus strong dynamic secrets. Also the textbook example of ops-heavy: Raft, unseal keys, policies, sidecars. Great for 200-engineer companies, impossible for teams of 10.
Infisical Positioning as friendlier Vault. Dynamic secrets support is still thin, and the self-hosted story is clunkier than the sales page suggests.
Doppler Great developer UX for static secrets + sync to cloud providers. No real dynamic secrets issuance. You still rotate manually.
AWS Secrets Manager / GCP Secret Manager / Azure Key Vault Built-in to the cloud, rotation Lambdas exist but are cloud-locked. Multi-cloud teams need glue for each one, and nothing covers GitHub Actions OIDC end-to-end.
External Secrets Operator Syncs into Kubernetes beautifully. Not a full story for the non-K8s CI/CD path, and doesn't issue dynamic DB creds on its own.
OpenBao (Vault fork) Same operational weight as Vault, just open-governance. Doesn't fix the 'teams of 10 can't run this' problem.

sources (4)

other https://blog.antnsn.dev/2026-p3-secrets-management-mess "secrets management is a solved problem... most teams aren't doing it" 2026-03-10
other https://blog.antnsn.dev/2026-p3-secrets-management-mess "Most teams are still passing long-lived tokens into GitHub Actions... OIDC in CI/CD is still underused" 2026-03-10
other https://cycode.com/blog/best-secrets-management-tools/ "Rotation is the hard part... where most systems fall apart" 2026-02-20
other https://www.strongdm.com/blog/secrets-management "database credentials stored in 4 different locations... sticky note on a monitor in the server room" 2026-03-01
secrets-managementoidcdynamic-secretssmall-teamsdevsecops