Interview › Scripting (Bash, Groovy)
How do you securely handle secrets in a shell script (avoid hardcoding, use env or a vault)? [Advanced]
Answer
I avoid hardcoding secrets in shell scripts. Instead, I pass secrets through a secret manager, short-lived identity, protected environment variables, files with strict permissions, or CI credential binding, and I make sure logs and xtrace do not expose them.
Technical explanation
Secrets should not be committed to Git or printed to stdout/stderr.
Prefer workload identity, OIDC, IAM roles, Vault, AWS Secrets Manager, or Kubernetes Secrets with external secret operators rather than static long-lived tokens.
Disable set -x around secret handling and avoid passing secrets as command-line arguments where they can appear in process listings.
Hands-on example
set +x
password=$(vault kv get -field=password secret/prod/db)
export PGPASSWORD="$password"
psql -h db.example.com -U app -c 'select 1'
unset PGPASSWORD password
set -x # only if debugging is safe afterward
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Scripting (Bash, Groovy) interview questions
- What is the purpose of the shebang line, and what does #!/bin/bash do? [Basic]
- What is the difference between sh and bash? [Basic]
- How do you make a script executable and run it? [Basic]
- What is the difference between running a script with ./script.sh, bash script.sh, and source script.sh? [Basic]
- What does sourcing a script do differently from executing it? [Basic]
- How do you declare a variable in Bash, and why are spaces around = not allowed? [Basic]
- What is the difference between $var and ${var}? [Basic]
- What is the difference between single quotes and double quotes in Bash? [Basic]