The "better way" for me has been managed identities in Azure. These are Azure Active Directory service principals, which are similar to Group-Managed Service Accounts (gMSA) in Active Directory. They're essentially a platform-managed identity with automatically rotating secrets that the developers never need to know, and sysops don't have to deal with. They can be assigned to VMs or various PaaS services, and then service-to-service access is via standard Azure RBAC, with auditing and everything.<p>There is nothing to rotate, nothing to put into a "key vault", nothing to worry about leaking out, nothing that could accidentally get pasted into Git, and nothing on that developers' laptop that he left at the airport. You literally say: "I want service A to have read access to service B", and you're done.<p>Visual Studio automatically injects the developer's personal identity into processes, so that they can access cloud resources during local development, so that's covered too. (For Linux developers, the Azure Identity SDK can pick up the user credentials via the "az" cli.)<p>"Making fire with stones to avoid a proprietary lighter." -- /user?id=pjmlp