They have to be set up somewhere, though.

It should be done out of band.

Repo should have a `README` that says the secrets are in the team 1password account, talk to <team member> to get a 1password account, and get added to the group that has access to the vault with the creds.

The repo should have a source script that will pull the credentials[1] and `export` them to your ENV. `direnv` can make that happen automatically[2], or you can run that script from your `.bashrc` or similar.

You can do something similar with your favorite secrets manager. I've used a similar approach before, with good results.

[1] https://support.1password.com/command-line-getting-started/

[2] https://direnv.net/

If you use AWS, “your favorite secrets manager” should be AWS SecretsManager, and you should use an AWS Role to limit access to the secrets.

Have your code fetch any secrets it needs from AWS Secrets manager, using the name of the secret (which does not have to be kept secret, so it can be in your source repo)

That way, you don’t have to put secrets in your environment, with the risk of leaking them.

For comparison, open source password managers are zero cost, 1Password is fixed cost (even more fixed if one buys the software, instead of the subscription), and in contrast https://aws.amazon.com/secrets-manager/pricing/ is $0.40 per secret per month, plus a tiny but not zero cost per API access.

I'm just pointing out that AWS Secrets Manager is not at automatic, no-brainer win

SSM Parameter Store (not Secrets Manager) is also “zero cost” and you can have a parameter of type “secret string”.

The other solutions don’t integrate with AWS IAM. Something has to grant access to the password vault. In the case of Secrets Manager/Parameter Store you just grant access to the role attached to your EC2 instance/ECS cluster/Lambda.

$0.40 per secret seems really high. I guess they aren't doing per-user pricing like other platforms, so maybe it would be cost effective for large teams?