How Teamworks Centralized Secrets So the Team Can Rotate Once and Update Everywhere

At Teamworks, secrets lived all over the place. All the typical places you'd expect to see sprawl, with no single way to manage them or trace a value back to its consumers.

The deeper problem was what the sprawl did to how the team worked with secrets in the first place. As Angelo Pace, Sr. Engineering Manager, Platform Engineering at Teamworks, put it, "There was little time spent on secrets management because nobody had the confidence to actually manage secrets properly. It was mostly set it and forget it because we're terrified of rotating this. If we do, we don't know all the downstream effects."

GitLab's premium tier caps group access token lifetime at 11 months, so long-lived tokens weren't an option. When a rotation came due, the team had to push values to the root level of GitLab so every project could inherit them, because there was no good way to know which projects needed which secrets.

That created a second problem. Teams would override values at the group or project level, sometimes intentionally, sometimes not. The top-level rotation wouldn't propagate, an app would start failing, and Angelo's team would spend hours chasing down why one service was running on an old value while the rest had moved on.

Angelo and his two staff engineers came from a cloud consulting background. They'd spent years on deployment work and knew what they didn't want: a methodology to build on top of. They wanted a product that shipped with integrations, UI, and developer experience already in the box.

Infisical had been on Angelo's radar for years. He'd been following the project since launch, running the open source tier in home-lab environments and keeping up with the docs. When he joined Teamworks and saw the same sprawl pattern he'd watched other teams struggle with, Infisical was the natural solution to try.

The POC for Infisical ran about three weeks. The test was simple: does it do what it says on the box? The integrations that mattered most were:

The capability that made Infisical the choice was the sync pattern. Rather than asking every app team to change how they pull secrets, Infisical syncs from a central location down into the tools they're already using.

That meant the rollout could happen in two phases:

In Angelo's words, "It's very simple to basically say, look, you're just not going to go into the GitLab UI anymore and manage your secrets. You're going to put them in Infisical and then we're just going to sync them right back down into the same place that they were. That requires very little effort on their part to start adopting the platform."

For a platform team driving adoption across teams of developers, that was the difference between a migration that stalls and one that actually moves.

With Infisical in place, the operational drag that came with managing secrets by hand started to disappear for the teams already onboarded. Rotations that used to require troubleshooting sessions and hunting across GitLab now take seconds.

Angelo's own example captures the shift. Building a new Slackbot, he needed to set up a project and drop in the secrets it required. "It takes me five minutes to go set up a project in Infisical and put some secrets in there," he said. "Probably saved me as an individual developer in this case an hour of going and dropping secrets into a bunch of different locations. And then if I have to rotate them, it takes 30 seconds to log into the UI and do it."

The rollout's value got tested the hard way not long after Infisical was in place. When the Trivy supply chain compromise hit, the teams that had integrated Infisical were insulated. One rotation in the UI, synced down to every consumer, done.

For the apps that hadn't been onboarded yet, it was a different story. As Angelo described it, "We probably spent 40, 50 hours rotating secrets for all the apps that hadn't been integrated yet. It was an absolute mess."

That contrast became the team's internal motivator. In Angelo's words, "That's actually been the biggest motivator for working with teams to get that converted over. I was like, guys, this would have been very straightforward. I just go rotate this value in Infisical and it gets populated down and we're done."

The other shift is in the volume of secrets-related requests the Platform Engineering team has to field. Once a developer is onboarded to Infisical, the workflow is self-explanatory enough that they don't need to ping the platform team to figure out where a secret lives or how to update it.

Angelo's estimate: the platform team saves roughly 10 to 15 hours a week on secrets-related questions and troubleshooting across the organization. "More interesting is that it saves us from even having to ask those questions of people in the first place," he said. "Once they're on board in Infisical, it's very straightforward about how you manage your secrets and deploy them. It cuts down on the volume of requests we get for sure."

When secrets are scattered across GitLab, AWS, GCP, and every other tool your team touches, the real cost isn't the sprawl itself. It's the confidence gap it creates, the rotations that never happen, and the hours your platform team burns chasing down which app is running on which version of which secret.

Infisical gives platform and security teams a single place to manage secrets, sync them to where they're already being consumed, and rotate them without breaking production. Want to see how it would work in your environment? Get a demo of Infisical.