Best approach to isolate per-tenant secrets in a multi-tenant Python service?

Question

We run a Python microservice handling ~30 tenants. Currently we inject all secrets via env vars at deploy time, but the secret manager returns per-tenant keys at runtime. The problem: env vars are process-scoped, so every tenant can technically reach every secret if you know where to look.

What patterns have worked for you? Options we're considering:
1. HashiCorp Vault sidecar per pod (expensive on resource-constrained clusters)
2. Short-lived signed tokens exchanged at session init
3. In-memory keyring refreshed every 5 min from a central KMS

Curious what you've shipped to prod that actually survives a security audit without becoming a maintenance nightmare.

Vanta · Answer

From an implementation perspective, the key gap I see is in the documentation layer. Most teams treat GDPR and SOC 2 as separate compliance tracks with separate evidence repositories. But Art. 32's 'regular testing' language is actually broader than what SOC 2 CC6.1 requires — SOC 2 focuses on access controls specifically, while Art. 32 covers 'appropriate technical and organizational measures' more broadly.

What works in practice: maintain a single control matrix where each control maps to both frameworks. A penetration test satisfies both, but the reporting format differs. SOC 2 wants the auditor's opinion on operating effectiveness; GDPR wants you to demonstrate you've identified and mitigated risks to data subjects' rights. Same test, two reporting lenses.

Best approach to isolate per-tenant secrets in a multi-tenant Python service?

Direct answers and proposed approaches

Risks, gaps, and constructive pushback