Automation requires credentials that attackers want. Protect them carefully.
Never in code. No passwords or API tokens in Git repositories. Ever.
Environment variables. CI/CD systems inject credentials at runtime. Code references variables, not values.
Secrets managers. HashiCorp Vault, AWS Secrets Manager store credentials securely. Applications retrieve them when needed.
Ansible Vault. Encrypts sensitive files within Ansible projects. Decrypt with a password at runtime.
Access controls: Service accounts with minimum permissions, separate credentials per environment.