[Guide Wishlist] How to store secrets with AWS

[benschwarz]

Storing secrets is one of things you want to get really right. It'd be great if there was a Buildkite walkthrough for using AWS secret manager for 1 or more projects (with Buildkite).

At the moment, this feels like one of those large surface areas that you just kind of have to know how to manage everything. Seeing as BK doesn't have it's own secrets store, it makes sense to write a guide that covers an often used approach (at least, I think that's what BK does internally?).

Other things this could touch:

• AWS Instance profiles, managed via Elastic stack. (How do we (ideally) give Buildkite access to AWS??)

Thoughts?

[lox]

A walkthrough would be neat. Frankly, at present we are still figuring out best practices on this front, especially when it comes to Secrets Manager vs Parameter Store. Currently Elastic Stack is still using s3 secrets, which isn't best practice any more.

We're also super keen to provide out own secrets store at some point!

[benschwarz]

Forgot to mention: Because pipelines aren't something that are created every day, it can be really difficult to know if the way you do something could be better, or more secure. I think a lot of the value in a guide like this is knowing that it had passed @buildkite/team review. 👍