As a solo indie developer of a SaaS application, I've been struggling with managing API keys and secrets effectively. I've tried a few common methods like copying keys into .env files across different environments, but I often forget to rotate them, which leads to a panic if there's a leak or when a co-founder leaves. Sharing keys over Slack isn't ideal either, and many enterprise solutions like Vault or AWS Secrets Manager feel too complex and expensive for someone running a small operation.
I'm curious to hear how others manage their API key and secret rotation processes. Specifically, how do you handle the rotation without causing downtime or making mistakes? What strategies do you use to keep it simple while ensuring security? I'm also interested in hearing any lessons learned, horror stories about leaked keys, or recommendations for open-source or DIY tools that might help. I've been working on my solution, APIVault, a simple secrets manager for indie developers, but I'm genuinely eager to learn from others' experiences!
5 Answers
I use AWS alongside Terraform and have set up some automatic scripts for rotation. Tools like Bitwarden and External-Secrets are super handy, and when I really need it, I use Ansible-Vault and SealedSecrets to keep everything managed. Having a centralized password manager like Bitwarden makes a big difference too.
If you haven't checked it out yet, take a look at SOPS (Secrets OPerationS). It's a great tool for sharing encrypted data without complicating things too much. Really useful for developers needing that extra layer of security!
Here's what I've been doing:
- I keep all secrets encrypted in my repo with a long random password (32-64 bytes).
- They get deployed unencrypted via SSH to the machines I use—whatever secrets are in the encrypted file get converted back to their respective files during deployment.
- My script manages this process, and to rotate, I just update the encrypted file, deploy it unsecured, and restart my apps. It's all automated with scripts, making it both secure and easy to maintain!
Honestly, I haven’t really rotated credentials for my solo projects in ages! I usually use Rails for my projects, and I just rely on its built-in encrypted credentials feature. It keeps things simple and secure for me.
For managing my secrets, I keep things organized like this:
- For local use, I store API keys in Bitwarden (which has a useful CLI).
- On production, I take advantage of features from my platform or utilize AWS Parameter Store.
- For rotation, I simply add a new key, deploy with both keys active, and switch over before killing the old one. Setting calendar reminders every 90 days helps me stay on track. I also use a `git-secrets` pre-commit hook to avoid accidentally pushing keys to my repo.
Haha, same here! My solo projects have probably turned into security disasters without me realizing it!