gregberns/gist:b197a36e5a7e5cd0e9da965511b355cb

## gistfile1.txt
Notes from 2019-04-24 PHX DevOps meetup

Managing Secrets

NoDramaDevOps.com Blog

Platform Identity
* Can give a VM a service account which has rights to access

* Use short term credentials to talk between services.
  * For external services - the internal service can go to the vault to request secret

* Use a "Source Vault" during the CI phase, and a "Target Vault" in Prod
* 1) distribute artifacts, then secrets, then update deployment  descriptor 2) Runtime updates (starts containers)

Process to take secrets from a SourceVault, and then make a copy of them into the target runtime env
This ensures that the Application doesn't have to have direct access to the SourceRepository

(How in DEV can we prevent the reading of secrets for PROD (in our ))
***Secret Policy management? ***


Distributing Secrets tools:
* Mozilla "sops"
* SegmentIO's "Chamber"
* Kamus

Anti-Pattern
-> Multiple Applications pointing at a single service

***A Secret Per Service Deploy***
***Versioning Secrets***

Deploy secret everytime the Application is deployed - invlude SHA/version in the name of the secret
1) Application gets short term permissions/creds from platform (169 IP)
2) Asks Vault to for creds

**(Note - in logs, log the length of the secret)

Using an API through which to request secrets may help with policy management.
* Env - Prevent Dev from getting Prod secrets
* Restrict application access
* A secret per deploy
* Versioning Secrets

Other notes/thoughts:
* Audit the usage of secrets
  * higher than normal use of secrets
  * Is AppA using AppB's secret
* Look at SOPS tool
* Could look at using Source/Target in compose to "translate" from source location to target location
* Write script to create secret put it in SQLServer and LastPass at once
* secrets monitoring -  no auth plugin for auth managemnet
  * EE has this
  * TwistLog, AquaSec - container security tooling

KMS - what compute instances can access a key

Cognito
Okta
	Notes from 2019-04-24 PHX DevOps meetup

	Managing Secrets

	NoDramaDevOps.com Blog

	Platform Identity
	* Can give a VM a service account which has rights to access

	* Use short term credentials to talk between services.
	* For external services - the internal service can go to the vault to request secret

	* Use a "Source Vault" during the CI phase, and a "Target Vault" in Prod
	* 1) distribute artifacts, then secrets, then update deployment descriptor 2) Runtime updates (starts containers)

	Process to take secrets from a SourceVault, and then make a copy of them into the target runtime env
	This ensures that the Application doesn't have to have direct access to the SourceRepository

	(How in DEV can we prevent the reading of secrets for PROD (in our ))
	*Secret Policy management? *


	Distributing Secrets tools:
	* Mozilla "sops"
	* SegmentIO's "Chamber"
	* Kamus

	Anti-Pattern
	-> Multiple Applications pointing at a single service

	*A Secret Per Service Deploy*
	*Versioning Secrets*

	Deploy secret everytime the Application is deployed - invlude SHA/version in the name of the secret
	1) Application gets short term permissions/creds from platform (169 IP)
	2) Asks Vault to for creds

	**(Note - in logs, log the length of the secret)

	Using an API through which to request secrets may help with policy management.
	* Env - Prevent Dev from getting Prod secrets
	* Restrict application access
	* A secret per deploy
	* Versioning Secrets

	Other notes/thoughts:
	* Audit the usage of secrets
	* higher than normal use of secrets
	* Is AppA using AppB's secret
	* Look at SOPS tool
	* Could look at using Source/Target in compose to "translate" from source location to target location
	* Write script to create secret put it in SQLServer and LastPass at once
	* secrets monitoring - no auth plugin for auth managemnet
	* EE has this
	* TwistLog, AquaSec - container security tooling

	KMS - what compute instances can access a key

	Cognito
	Okta