I'm used to managing secrets in AWS where I can simply attach an instance profile to securely retrieve secrets from Secrets Manager or SSM Parameter Store. However, now that I'm working with DigitalOcean, this setup doesn't really apply. I'm currently using Infisical for managing secrets, but I'm trying to determine how to get those secrets into my droplets securely during boot time—without baking them into the AMI or sending them as plain user data. How do you guys handle secret injection in platforms like DigitalOcean or others that aren't AWS? Also, how do you tackle authentication initially when there isn't an instance identity like AWS offers?
1 Answer
You might want to consider using cloud-init, Puppet, or Ansible for managing your secrets. These tools can help automate the setup process in your droplets without needing to hardcode sensitive information.
I'd avoid hardcoding anything. It works for a while, but it can be risky to have static credentials on a vulnerable host. If you have to use this approach, make sure the credentials expire quickly so the instance can pull the necessary secrets securely.
I do follow the immutable infrastructure approach. I thought about cloud-init, but I'd need to hardcode an Infisical token to fetch the secrets, which isn't ideal.