What does HackerNews think of credstash?
A little utility for managing credentials in the cloud
At my current gig we're using doppler[^1] (no affiliation) for application secrets. We're using doppler with their kubernetes operator which supports auto-rotation on secrets. Secrets are set as "env variables". So far, doppler has not suffer big outages or we did not notice, because the operator will keep working even if their API is down - of course you won't get updates. Access control could be more _fine grained_ and they added secret auto-rotation option recently[^2]. We don't use that yet.
I've been a happy 1Password user (no affiliation) and we use it company wide to share user secrets. 1Password support CI/CD integration IIRC, so in theory should cover most use cases.
If you can pay for AWS Vault, the terraform integration comes out of the box. However if you're a small team running vault might be a daunting task and you're inserting another SPoF.
There are many open source application secrets tools that you could check out though. In the past I had great experience with credstash[^3]. Credstash is a really simple and secure open source solution that is based on AWS KMS, IAM and DynamoDB. Costs pennies to run for medium size deployments. Once you setup and document the way to use it, it's really easy. The downside is that as a tool is pretty _raw_ you have to build things like "secret generators", etc. But combined with a slack bot can be a really powerful, secure, cost-effective self-hosted solution that doesn't require maintenance (as opposed to solutions like Vault).
If you have specific questions about any of the above tools feel free to drop an email. I'll happy to answer questions.
[^1]: https://www.doppler.com/
[^2]: Auto-rotation is complicated because you need to integrate the auto-rotation with external tools yourself most of the times. There are Hashi-Vault modules for SQL DBs but not for Mailgun or CloudFlare for example.
RDS rotation is...fine, I guess, if you have an auditor who really wants that and can't write a scheduled job for the task (I've been using one with credstash so long it's just an automatic part of a new environment), but it's got me skeptical.
Something AWS could do, and I'd be very interested in, is a hosted moral equivalent to Vault. Give me a daemon or something to run on an instance, allow me to IAM-gate temporary SSH credentials (and chuck it in CloudTrail) and temporary SQL databases, and that I'd pay for 'cause I really don't want to deal with Vault or HashiCorp. But AWS Secrets Manager, by itself, doesn't really present a good reason-for-being to me.
CI secret access isn't a thing in the systems I develop (unit tests don't need them, integration tests get a spun-up environment that provisions its own secrets), but you could provide access with a bog-standard token machine.
[1] https://github.com/fugue/credstash
[1] https://github.com/fugue/credstash
[2] https://topics.arlingtonva.us/2016/11/voter-registration-sea...
- Azure Key Vault: https://azure.microsoft.com/en-us/services/key-vault/
- Blackbox: https://github.com/StackExchange/blackbox
- CredStash: https://github.com/fugue/credstash
- Lyft Confydant: https://github.com/lyft/confidant
- Trousseau: https://github.com/oleiade/trousseau
- Sneaker: https://github.com/codahale/sneaker
One thing we liked about Vault is that it built upon our usage of Consul and the http interface for Vault meant it was simple to plug into how we build and deploy services. While I'm sure some of these other tools would have had as good workflows, our experience in administrating Consul made it easier for us to have confidence in Vault.
Don't initialize into env vars and don't store in repos, even private ones.
I configure my application roles to be able to decrypt with the master key and I restrict what ciphertext they can read from Dynamodb.
Both of those are really great projects and I recommend them if they fit your use-case.
One of the reasons we originally avoided S3 was because it can occasionally be very eventually consistent, which we wanted to avoid. We also wanted to avoid fanning out secrets to services when the secret needed to be shared between multiple services.
We also wanted to have a UI that was simple and easy to use for everyone.