Hey folks! With all the recent talks about platform security, especially after the Vercel incident, I've been rethinking how to securely manage environment variables in production. Currently, I'm just using the standard environment variables, but I'm eager to learn how others are handling this in their projects. Here are some specific questions I have:
- Do you stick to using Vercel's environment variables, or do you implement more sophisticated solutions?
- How do you manage sensitive keys across various environments?
- Are there particular strategies you use for rotating or managing these keys? I'd love to hear your thoughts on this!
5 Answers
If you’re pulling secrets during CI/CD, you’re actually baking those credentials into your application! That’s usually a bad practice… Just something to keep in mind.
After the Vercel incident, I transitioned all my sensitive data to AWS Secrets Manager and pull them at runtime. Setting that up was a bit of a hassle, but the automatic rotation is a lifesaver. For stuff that isn't super sensitive, I still use platform environment variables, but I've stopped storing API keys or database credentials there. I also categorize environment variables based on sensitivity levels — public ones like NEXT_PUBLIC are fine, but anything that interacts with a database or API with billing should go into a proper secrets storage. Oh, and definitely set up alerts for when secrets are accessed to catch any weird activity early!
To be honest, I'm not using Vercel at all. My environment variables are kept far from my codebase. I use secret management services to pull in what I need. Even in projects without those services, I directly pass the variables into the Docker containers during deployment instead of storing them in the general environment.
We’re pretty much sticking with our usual methods and steering clear of platforms like Vercel. I also recently worked on a project that lets users deploy their database and Docker setups on DigitalOcean. To ensure I can't even access the environment variables, I encrypt everything with the DigitalOcean token. I showcased it earlier, but it didn't get much traction. I'm open to revisiting it if there's interest!
I created a ConfigService that retrieves environment variables from multiple sources like the database and SST secrets (for AWS). I do most of my variable settings through CI/CD and pull from GitHub's secrets. Managing environment variables can be quite a headache, especially with frameworks like Next.js, which need them set at build time for public ones.
Interesting point! If you don’t trust a platform, what’s the reason to use it? Just curious since I’ve never used Vercel. If everything's running smoothly on AWS, wouldn't it make more sense to migrate everything there?