Currently in our team, we are studying using gopass, given that it is backward compatible with pass, but supports multiple PGP recipients and multiple mounts, which would allow, for example, a personal mount and a per-project mount to share secrets using one git repository per context.
Of course, the main issue there, as they tell themselves to theirs users is that, given that it works with a git repository, if a PGP recipient is excluded from a set of secrets, there is a need to remember to change each service password, given that the removed recipient could have a full copy of the commits which would allow to access old secrets by using old commits, even if in the most recent commit excluded such PGP recipient - just check this link's git history and local files section. So in such scenario, the system admin must remember to change each and every shared secret in that repository and in the services themselves. Of course, it should be a standard security policy in any team, but who did ever forget to change a vital secret in such situation?
This comment is based in sharing secrets more permanently. If I misunderstood your proposition, please correct me.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.