Skip to content

Instantly share code, notes, and snippets.

@gregberns
Created April 29, 2019 15:54
Show Gist options
  • Save gregberns/b197a36e5a7e5cd0e9da965511b355cb to your computer and use it in GitHub Desktop.
Save gregberns/b197a36e5a7e5cd0e9da965511b355cb to your computer and use it in GitHub Desktop.
Managing Secrets - Notes from 2019-04-24 PHX DevOps meetup
Notes from 2019-04-24 PHX DevOps meetup
Managing Secrets
NoDramaDevOps.com Blog
Platform Identity
* Can give a VM a service account which has rights to access
* Use short term credentials to talk between services.
* For external services - the internal service can go to the vault to request secret
* Use a "Source Vault" during the CI phase, and a "Target Vault" in Prod
* 1) distribute artifacts, then secrets, then update deployment descriptor 2) Runtime updates (starts containers)
Process to take secrets from a SourceVault, and then make a copy of them into the target runtime env
This ensures that the Application doesn't have to have direct access to the SourceRepository
(How in DEV can we prevent the reading of secrets for PROD (in our ))
***Secret Policy management? ***
Distributing Secrets tools:
* Mozilla "sops"
* SegmentIO's "Chamber"
* Kamus
Anti-Pattern
-> Multiple Applications pointing at a single service
***A Secret Per Service Deploy***
***Versioning Secrets***
Deploy secret everytime the Application is deployed - invlude SHA/version in the name of the secret
1) Application gets short term permissions/creds from platform (169 IP)
2) Asks Vault to for creds
**(Note - in logs, log the length of the secret)
Using an API through which to request secrets may help with policy management.
* Env - Prevent Dev from getting Prod secrets
* Restrict application access
* A secret per deploy
* Versioning Secrets
Other notes/thoughts:
* Audit the usage of secrets
* higher than normal use of secrets
* Is AppA using AppB's secret
* Look at SOPS tool
* Could look at using Source/Target in compose to "translate" from source location to target location
* Write script to create secret put it in SQLServer and LastPass at once
* secrets monitoring - no auth plugin for auth managemnet
* EE has this
* TwistLog, AquaSec - container security tooling
KMS - what compute instances can access a key
Cognito
Okta
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment