simpleinfra
simpleinfra copied to clipboard
rust-lang
Secret management
Managing secrets is hard! Some thoughts:
- A master list of what secrets are needed is a nice-to-have
- Comments on what each secret is and how it's generated is also a nice-to-have
- Ability to run in dev with "dummy" secrets is a nice-to-have
As an example rust-central-station has a toml file with a program to parse toml on the command line. This file is just stored on the machine itself and filled in manually. Adding new secrets is sorta painful.
Unsure how to best handle this!
Current plan is to maintain the status quo, at least until we can talk to the security people at infra meeting next week - my idea of secret management is basically https://github.com/StackExchange/blackbox, but I'm not sure if that's acceptable if it's a public repo.
Oh, and there are two high level questions - how to store the secrets, and how to expose them to the application.
Blackbox covers mostly the former (with a little bit of the latter, in that you just read them from disk), Docker secrets (https://docs.docker.com/engine/swarm/secrets/#simple-example-get-started-with-secrets) covers just the latter.
In AWS environment I can suggest:
- secrets manager
- hashicorp's vault deployment.
This issue is a bit old :sweat_smile:
Terraform secrets are already stored in AWS Parameter Store, which (as far as I understand) is mostly equivalent to Secrets Manager if you don't need secrets rotation. For Ansible at the moment we store them in our 1Password account, but I'll probably look into migrating them to Parameter Store/Secrets Manager in the future.
