How Coactive AI Made Secrets Management a Non-Issue for Compliance, DevOps, and Engineering
After adopting Infisical early, Coactive AI has no operational burden from secrets management and DevOps spends no meaningful time on it.
Looking to improve your secret management processes?Talk to an expert
My experience as a user has been really surprisingly seamless relative to other tools. It just does the thing we need to get done, all the time. That helps us focus on other things. It helps us be less frustrated at work.— Ross Morrow, Principal Engineer, Coactive AI
The challenge: secrets scattered across environments with no Kubernetes-native path
Ross Morrow joined Coactive AI to lead infrastructure. At the time, the team managed secrets through AWS Secrets Manager with various customized integrations for secret use locally, in EC2, and in ECS. The setup “worked” in the sense that secrets ended up in the correct place. But it wasn’t an efficient way to manage secrets: using manual scripts and JSON manifests with secret references made centralization impossible and required manual workflows for what could’ve been automations.
As Coactive AI increased its Kubernetes usage for compute orchestration and building a model where developers owned their deployments, the setup became infeasible.
AWS Secrets Manager had structural friction that made that model hard to sustain:
- Limited auditing
- No easy way to move between secret versions
- No native trigger to restart a deployment when a secret changed
- Inspecting state across multiple environments required a context switch every time
- The External Secrets Operator had a history of maintainer uncertainty
"Secrets Manager is kind of a clunky thing that doesn't have great auditing, and it's hard to move between versions," Morrow said. "Inspecting secrets across all our different environments took a lot of time."
The team needed a single tool across environments, deep Kubernetes integration, and cloud-agnostic portability. But they didn’t want the overhead that comes with operating HashiCorp Vault, which often requires multiple full-time engineers by itself. ”I wanted a lot of good security features, native Kubernetes integration in a cloud-agnostic way, and I didn't want to run much ourselves," he said. He also highlighted that the Kubernetes integration was lightweight, well-designed, and requires minimal setup for lots of functionality. Kubernetes was a crucial part of Coactive AI’s stack, so Infisical felt like the obvious choice.
The solution: adopt the right tool before you need it to be right
The decision to use Infisical was shaped by experience with the alternatives. Ross Morrow had experience in companies that suffered secrets incidents and didn’t want to have to rebuild security infrastructure at a moment’s notice ever again.
As he put it: “I know at some point something will come up. And I want to already be in a position where I can show people how to do the rollback."
He knew nailing the foundation early would mean avoiding painful migrations later. "I tend to adopt things that solve a few really hard problems first and have a lot of other doors we can walk through,” he said. Infisical was great because it solved both the initial problem of centralizing secrets management, but also offered advanced capabilities they may need in the future.
“We know we have a tool that solves the harder problem of centralized, multi-cluster secrets management. We know we can get approval policies and roll back secrets. That's what we needed."
Morrow brought Infisical in from day one and stood it up across the team's Kubernetes clusters. A Databricks integration also became an active part of the setup early, with Databricks secret scopes backed directly by Infisical so data workloads pull from the same centralized store as everything else.
Ross also extensively uses tagging and user profile conventions. These may sound like minor features, but Coactive AI was growing quickly, which could eventually lead to confusion and duplicates. The organizational structure around tagging and permissioning became an important mechanism to prevent future difficulties: "Sometimes you come in and say, hey, I know you don't understand this right now, but it's going to save you a lot of time later if you tag your values," he frequently instructs engineers.
The results: 42 projects, two years, and almost no secrets incidents
Two years in, Coactive runs 42 projects in Infisical, but not all of those require DevOps’ or an admin’s attention. Ross set up the initial project structure and touched around ten of those projects. Developers built the rest, working from Ross’s organizing principles.
Time spent on secrets as an infrastructure problem is nearly zero. "With my prior experience, infrastructure engineers easily spent some hours a week futzing around with secrets: pulling values, passing them around, checking things," Morrow said. "I feel like we do none of that."
A recent migration showcased how much easier Infisical made secrets management. Some secrets in pre-production environments were misconfigured. Diagnosing and fixing that through AWS Secrets Manager and the External Secrets Operator would have been a roadblock. Instead, Ross describes a routine update: “I was in a deploy process, I saw something wasn't working in staging, I saw what was wrong, and just updated it," Morrow said. "It wasn't a big deal."
Secret versioning has enabled engineers to fix problems without needing Ross. When a developer sees a service fail because of a wrong secret, they often look at the change log, revert the value, and move on. "I don't have to get involved," Ross said.
Infisical also came up in a SOC 2 audit. Auditors flagged secrets management as an area of interest. Infisical ensured it didn’t become a major obstacle. The team could demonstrate their usage of Infisical “We do have this, we have this tool. That's going to be an easy problem to solve.”, which sped up that area of the audit.
Almost nobody on the engineering team complains about secrets tooling. "I don't think there's a lot of feedback, but a lot of developers have access. A lack of feedback is good." Even with Kubernetes, dozens of engineers, and 42 projects, secrets management creates zero friction in engineering.
Coactive AI’s recent growth is making access controls and approval workflows more important. Because they chose Infisical early, this is a minor administrative task that doesn’t require custom development, migration, or rearchitecting. "By adopting the tool early that can already do it, we can do it," Morrow said. "We just need to do the bookkeeping."
Key outcomes
- Secrets management that runs in the background. Infisical is always open in a tab, but engineering almost never needs to manually interact with it. Twenty-four engineers manage 42 projects with minimal involvement.
- Migration issues resolved in minutes, not hours. A recent large migration left some pre-production secrets misconfigured. What would normally have been an obstacle took a single UI update.
- Secret rollback without escalation. When a developer's change breaks a service, the team finds the change in the log and reverts instead of paging DevOps.
- SOC 2 audit became a non-issue. Auditors flagged secrets management for review, but were satisfied when the team showed them Infisical.
- Nearly two years of uptime. No meaningful downtime since adoption.
- Room to grow into stricter governance. Approval workflows, access request flows, and secret rotation are available when the team is ready. No migration needed to get there.
Starting with Infisical is simple, fast, and free.