I just replaced a clunky secrets manager with Mozilla SOPS and secrets-in-code that we keep in git encrypted and can version like any other file. I like this approach better than any alternative I've used so far.
SOPS is only an alternative for vault KV Store. Even then, it requires a lot of manual plumbing when you have operators and Terraform pushing secrets or keys into Vault KV.
To replace SSH Sign and Cert Authority or databases engines, both generating short-lived credentials on-demand, SOPS will not easily solve the issue.
If you only need KV Store, SOPS experience is way better than Vault and maintenance cost is low.
I readily admit it's not the same amount of :fu: as BuSL or whatever the fuck is going on over at Sentry but still :-( as compared to their much friendlier Apache 2
Well, that actually may be a good hint for me for a project I'm working on right now. I just fell of the chair when I realized how Vault charges for Enterprise "clients" (identities). This could be some fresh air.
Their pricing was laughable when we investigated it a couple of years back; I imagine it's only gotten worse since.
When I told them how ridiculously expensive it was for our use-case they suddenly managed to find a ~50% discount for us. That brought it down to just laughably expensive. Needless to say, we stuck with DIY.
