I've been diving into a project where our infrastructure spans AWS, GCP, and Azure, and to be honest, the number of secrets to keep track of is quite a lot! I'm really curious about how everyone manages their secrets in a multi-cloud setup. Do you prefer centralized solutions like HashiCorp Vault, or have you leaned more towards the built-in secrets management tools from each cloud provider, such as AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault? We're aiming for a secure and scalable approach, so any best practices you've noticed, challenges you've encountered, or insights on automating secret rotations and maintaining access policies across various clouds would be amazing. Thanks for any advice you can lend!
4 Answers
For bigger projects, CyberArk works well for managing secrets at scale. For more personal or smaller dev tasks, I just stick with KeePass. It's simple but gets the job done without any fuss.
I've been using Infisical for multi-cloud setups and it’s been pretty effective. Just a heads up about the free tier limits though; I hit some rate limits while running Ansible plays. Optimizing to load secrets once per play helped a bit. It’s not as robust as Vault but definitely easier to work with!
Automation is key! I recommend integrating an external secrets manager like Bitwarden or Keeper. You can set it up to update the native cloud secrets automatically during your CI/CD process. This way, your corporate password manager can serve as your truth source and manage password rotations effectively.
That’s so true! It’s crucial to distinguish between build secrets stored in a CI system and application secrets for deployments. Managing them in CI can get messy due to insufficient controls.
We use HashiCorp Vault! It’s pretty versatile and we sync it up with AWS Secrets Manager too. For specific platform secrets, we only keep them in their respective stores. For instance, AWS KMS keys stay in AWS, but API and database secrets go into Vault, allowing us to manage everything cross-platform. We also have K8s containers using sidecars to fetch these secrets as needed.
This sounds like a solid approach! Do you find any challenges in managing secrets across different cloud environments?
Good to know! I'll have to check that out. How do you handle the access control side of things with Infisical?