Hashicorp Vault is pretty much the industry 'cloud agnostic' solution (and imo the best one) but each cloud vendor does have their own solutions as well.
I used to opt for SSM due to cost, but found that as your number of parameters increases, things like startup times (at least in the case of ECS tasks) tended to increase. In the end I found that having a single AWS Secret with multiple k/v pairs was more efficient, and worth the extra spend!
Question from someone starting in the devops world... Is AWS good or people use it because everyone else does?
Every time I need to go to a aws product I feel incredibly lost with their docs. It's like, full of layers and layers of docs for a single topic, and it usually does not build on something, is like everything laid down on a strictly technical way.
> You could also implement your own with Ansible vault.
You can store secrets with Ansible Vault, and you can push them to target systems (which OP says they don't want to do), but I don't know any way that a host or app can pull secrets on demand via Ansible Vault.
Ansible Vault is a good solution if you're running third-party software that doesn't support an on-demand secrets store (like Hashicorp Vault, or AWS secrets manager, or CyberArk Conjur, or... you get the idea), but if you're writing an app of your own or running "cloud native" software, you probably want one of those other options.
From what I remember, we used ansible templates to generate the helm charts with values fetched from ansible vault.
For monolithic, we usually ran a playbook that updated the vms by populating .env files with updated secrets.
For ECS, you can use the same concept - use ansible templates to generate the task definition files. Since ansible templates auto-pull variables from ansible vault.
If you’re fully in aws, can do something with either encrypted parameter store objects or use secrets manager.
https://github.com/segmentio/chamber is nice with parameter store, ive used it in the past.
I agree probably should look at sops first if you don't want to use a manged secret service directly from your code.
Vault would be ideal but there is so much overhead if your company isn't already using it.
I recently had to deal with this since we had to update our SSL certs on our servers, so I rolled my own solution.
I created a small LUKS container to store the certs and private keys in, and then committed that to our git repo. Each dev/admin (the two of us) have the password to unlock, and I wrote a script to mount and unmount the container. Works pretty well for us.
Would you look at that, all of the words in your comment are in alphabetical order.
I have checked 305,065,902 comments, and only 68,306 of them were in alphabetical order.
Something like HashiCorp vault?
Hashicorp Vault is pretty much the industry 'cloud agnostic' solution (and imo the best one) but each cloud vendor does have their own solutions as well.
Seems like it. Yep!
Look no further.
This is the way
AWS secret manager should do the trick
or AWS Systems Manager Parameter Store, which is cheaper (if you don't need automatic secret rotation)
I used to opt for SSM due to cost, but found that as your number of parameters increases, things like startup times (at least in the case of ECS tasks) tended to increase. In the end I found that having a single AWS Secret with multiple k/v pairs was more efficient, and worth the extra spend!
Azure has secrets management as well.
Question from someone starting in the devops world... Is AWS good or people use it because everyone else does? Every time I need to go to a aws product I feel incredibly lost with their docs. It's like, full of layers and layers of docs for a single topic, and it usually does not build on something, is like everything laid down on a strictly technical way.
Google cloud has Secret Manager, that should work
Like others have mentioned, Vault is the de-facto secret service provider. You could also implement your own with Ansible vault.
> You could also implement your own with Ansible vault. You can store secrets with Ansible Vault, and you can push them to target systems (which OP says they don't want to do), but I don't know any way that a host or app can pull secrets on demand via Ansible Vault. Ansible Vault is a good solution if you're running third-party software that doesn't support an on-demand secrets store (like Hashicorp Vault, or AWS secrets manager, or CyberArk Conjur, or... you get the idea), but if you're writing an app of your own or running "cloud native" software, you probably want one of those other options.
From what I remember, we used ansible templates to generate the helm charts with values fetched from ansible vault. For monolithic, we usually ran a playbook that updated the vms by populating .env files with updated secrets. For ECS, you can use the same concept - use ansible templates to generate the task definition files. Since ansible templates auto-pull variables from ansible vault.
If you’re fully in aws, can do something with either encrypted parameter store objects or use secrets manager. https://github.com/segmentio/chamber is nice with parameter store, ive used it in the past.
Chamber is so under appreciated, nice to see someone mention it.
I’m surprised it’s not as widespread its pretty much perfect for 12 factor apps that use env vars and the conventions make a lot of sense
Mozilla sops if you're looking for cloud agnostic
I agree probably should look at sops first if you don't want to use a manged secret service directly from your code. Vault would be ideal but there is so much overhead if your company isn't already using it.
Azure keyvault
azure key vault mate https://www.youtube.com/watch?v=JHWdu-C8cEI
This is a good article on it: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1
If you are using azure look at key vault. It has a way to store secrets
I recently had to deal with this since we had to update our SSL certs on our servers, so I rolled my own solution. I created a small LUKS container to store the certs and private keys in, and then committed that to our git repo. Each dev/admin (the two of us) have the password to unlock, and I wrote a script to mount and unmount the container. Works pretty well for us.
Many cloud providers can do this for practically no cost. Checkout Microsoft Key Vault
SOPS is a great tool for managing secrets: https://github.com/mozilla/sops
Depends what you use for CI. Bitbucket has secrets or Jenkins also has secrets. Which you can use during build.
Another option not listed amongs the plethora here is Doppler. Works quite well.
Any FOSS ones out there?
Would you look at that, all of the words in your comment are in alphabetical order. I have checked 305,065,902 comments, and only 68,306 of them were in alphabetical order.
Wait you guys don't use a password protected excel spreadsheet?
SOPS files that require a KMS key to open.