Managing secrets across dev/staging/prod in a multi-tenant SaaS setup

Each tenant needs isolated API keys, database credentials, and webhook secrets. Currently using environment-specific .env files but it doesn't scale past ~20 tenants. Looking at HashiCorp Vault vs AWS Secrets Manager for dynamic secret rotation per tenant. The challenge is keeping deployment pipelines simple while tenant count grows. What's the sweet spot for complexity vs security at around 50-100 tenants?