Storing VAULT_TOKEN as environment variable - security concern?

[mtcolman]

I've been looking into use Cosign with Hashicorp Vault to avoid generating & storing keys locally or as Kubernetes secrets. Whilst digging into this, I've become aware that I would need to store the token for Vault as an environment variable "VAULT_TOKEN", as detailed here.

From previous research and conversation with colleagues, it is my understanding that storing secrets in environment variables is not considered to be a secure practice, given that there are situations whereby logs and traces could include them, or they could be exposed via container inspection commands etc.

Kubernetes offers the alternative to mount secrets as permissioned files, so I was wondering of Cosign would be able to handle this? I've seen the Vault CLI (and Terraform) can use a token from ~/.vault-token as documented here.

Or perhaps my security concerns aren't valid - happy to hear why not if that's the case.

Thanks!

Matt