This more or less exactly the same thing I would love as well. It'd simplify a couple things if I could have a shared credential to refer to (we specifically need to insert a couple of license keys into our stack build process and having to repeat them for each stack is both inconvenient and a bit of a security issue).

It's clear we need to do something to make this easier. The thing I'm stuck on is how to do this without also significantly introducing more complexity around ACLs, etc.

If we did these at the Cluster level, would that work for both of you?

Assuming the Cluster level is segregated from the Image level, probably not quite there, as we might have a set of credentials that give us access to multiple git repos (let's say you have 10 services, each in it's own git repo). Currently we need to manually enter the git access key 10 times... It might work if each "module" has it's own Credentials section? I know that bloats the UI a bit if it goes in the left menu, maybe it's a section in Hub with multiple tabs (Clusters, Images, Environments, etc)?

I'm OK with them being module-scoped as the most common use-case for re-using credentials is across multiple resources of the same type, however would need to be available in multiple modules What's the tricky part with the ACLs? I can mull it over see what I can come up with?

The tricky part re: ACLs just comes down to: what if a user has access to modify a cluster, environment, etc, but doesn't have access to the secret you specified? The amount of extra logic that introduces significantly extends surface area for bugs.

The idea of scoping to a cluster at least allows us to make the assumption that if a user has access to a cluster, they also likely have access to the secrets. Maybe not 'view' access, but 'manage' access.