Environments

Vault separates secrets by environment, ensuring production credentials are isolated and protected.

Environment Hierarchy

Environment	Protection Level	Access
Production	Highest	Admin only, requires approval
Staging	Medium	Team members
Development	Low	All developers

Setting Environment Secrets

# Same secret name, different values per environment
BrainzLab::Vault.set("database/password", "dev_pass_123",
  environment: :development
)

BrainzLab::Vault.set("database/password", "staging_pass_456",
  environment: :staging
)

BrainzLab::Vault.set("database/password", "prod_pass_789",
  environment: :production
)

Retrieving by Environment

# Explicit environment
password = BrainzLab::Vault.get("database/password",
  environment: :production
)

# Auto-detect from Rails.env
BrainzLab::Vault.configure do |config|
  config.default_environment = Rails.env.to_sym
end

# Now uses current environment automatically
password = BrainzLab::Vault.get("database/password")

Environment Fallback

Configure fallback for missing secrets:

BrainzLab::Vault.configure do |config|
  config.environment_fallback = {
    development: [:staging, :production],
    staging: [:production]
  }
end

# If "api/key" doesn't exist in development,
# check staging, then production
key = BrainzLab::Vault.get("api/key")

Production Protection

Production secrets have additional protection:

Approval Required

# Request access to production secrets
request = BrainzLab::Vault.request_access(
  secrets: ["database/password", "stripe/api_key"],
  environment: :production,
  reason: "Deploying hotfix for payment bug",
  duration: 1.hour
)

# Approver grants access
BrainzLab::Vault.approve_request(request.id)

# Now you can access
password = BrainzLab::Vault.get("database/password",
  environment: :production
)

Break Glass

For emergencies, bypass approval with audit:

# Emergency access (logged and alerted)
password = BrainzLab::Vault.get("database/password",
  environment: :production,
  break_glass: true,
  reason: "Production database outage"
)

Copy Between Environments

# Promote secret from staging to production
BrainzLab::Vault.promote("api/new_key",
  from: :staging,
  to: :production
)

# Copy all secrets for a service
BrainzLab::Vault.copy_prefix("stripe/",
  from: :staging,
  to: :production
)

Environment Comparison

Compare secrets across environments:

diff = BrainzLab::Vault.compare_environments(
  prefix: "database/",
  environments: [:development, :staging, :production]
)

diff.missing_in_production.each do |secret|
  puts "Missing in production: #{secret}"
end

diff.value_differences.each do |secret, envs|
  puts "Different values: #{secret}"
end

Environment-Specific Access

Control who can access each environment:

BrainzLab::Vault.set_environment_access(:production,
  roles: [:admin, :senior_engineer],
  require_approval: true,
  mfa_required: true
)

BrainzLab::Vault.set_environment_access(:development,
  roles: [:developer, :intern],
  require_approval: false
)

Vault

Vault API

Vault MCP

Environments

Environments

Environment Hierarchy

Setting Environment Secrets

Retrieving by Environment

Environment Fallback

Production Protection

Approval Required

Break Glass

Copy Between Environments

Environment Comparison

Environment-Specific Access

Vault

Vault API

Vault MCP

​Environments

​Environment Hierarchy

​Setting Environment Secrets

​Retrieving by Environment

​Environment Fallback

​Production Protection

​Approval Required

​Break Glass

​Copy Between Environments

​Environment Comparison

​Environment-Specific Access

Environments

Environment Hierarchy

Setting Environment Secrets

Retrieving by Environment

Environment Fallback

Production Protection

Approval Required

Break Glass

Copy Between Environments

Environment Comparison

Environment-Specific Access