I'm transitioning from AWS to DigitalOcean and I'm used to the convenience of instance profiles in AWS that let me securely pull secrets from services like Secrets Manager and SSM Parameter Store. I'm currently using Infisical for secret management, but I'm stumped on how to securely inject those secrets into my droplets at boot time without baking them into the AMI or sending them as plain user data. I'm looking for advice on how to handle secret injection in environments like DigitalOcean and Hetzner, especially since there's no instance identity mechanism like in AWS. How do you approach this?
3 Answers
If you're looking for an AWS-like approach, remember that instance profiles are simply temporary tokens for secure access. The actual magic is in the security of that identity link on the specific host. You could look into using a solution like Vault, which provides similar capabilities, although it lacks the same link-level security.
Be cautious with cloud-init! It sets initial system configurations, and while you can use it, avoid static credentials in your scripts. Instead, consider setting up your credentials to auto-expire after a certain period to reduce risks.
You might want to consider using tools like cloud-init, Puppet, or Ansible. They can help automate setup and manage configurations efficiently.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures