I'm looking for effective strategies for managing secrets in a secure manner. For instance, how do you handle ephemeral tokens for your workers? Any recommendations on tools or methods that you find particularly useful?
5 Answers
Honestly, the best practice I've seen involves just keeping secrets in the code in my repo...just kidding! But you wouldn't believe some actual strategies I've come across!
Rotating secrets automatically and using short-lived tokens tied to specific service identities can really minimize the impact if a secret gets exposed. Regular access audits are also crucial, as many folks overlook that.
HashiCorp Vault is definitely a strong choice, though I'm cautiously optimistic about new options. If I could start fresh, I might go for OpenBao since I like to keep my APIs tool-agnostic. It really helps streamline things without being locked into a specific cloud provider.
A lot of people here mention Vault by HashiCorp. It seems great for various environments, especially when managing secrets across teams. I've found it useful for integrating with GitHub Runners, which reduces the hassle of constantly being pinged for secrets.
I initially used AWS Secrets Manager but switched to Vault because of the cost issues. It was tough to justify the expense, but it ended up working well for my needs. If you're using AWS with Kubernetes, think about utilizing IAM roles; they can reduce the hassle of secret rotation.
That's interesting! Realizing the potential overhead of secrets management is key. How do you manage customer access if you’re using IAM roles?
Totally agree! I prefer Vault over other solutions, but I think it requires some bias since I’ve become the go-to expert on it.