Ask HN: Tools for Managing Secret in Production Scale?

12 pointsalbertlie7y ago11 comments

Hi all,

I'm looking for centralized tools for managing secrets for my engineering team right now. Is there any recommended tools from your experience using them in production?

For example like Vault (Hashicorp product).

Thanks

11 comments

gtsteve7y ago

My company uses AWS and started before Parameter Store and Secrets Manager and we try to not run our own infrastructure where possible because we are very small and don't have a big ops team.

We simply store our secrets in a KMS-encrypted file in S3. When containers start up, they have a bootstrap script that deserializes it and fills it with the appropriate variables.

At some point though I think we will look at Parameter Store and Secrets Manager. If I were starting this company again, that's where I'd look first.

Many will suggest Vault, which I hear is a fine product. However, it's one more thing that can fail, and this is a pretty big thing because if you can't access passwords and security tokens, most systems will totally stop working. If you are using a public cloud environment, I would look at tools native to that environment that are managed for you.

sharmi7y ago

Not affiliated to the below company. I came across it a few days back. Have not used it either. Just passing it on hoping it will help.

https://www.envkey.com/ helps manage your team's secrets and configuration.

danenania7y ago

Founder of EnvKey here - thanks for the mention!

EnvKey takes a minimalistic and developer-friendly approach to managing configuration and secrets. It keeps secrets safe while also making it extremely easy to make them available wherever you need them, edit them, and grant/revoke access.

With EnvKey, you can just set a single environment variable (ENVKEY=...) and have any dev machine or server fully configured in seconds. It's a lot simpler and (imho) more pleasant to work with than alternatives.

I'm happy to answer questions about it here if anyone has them!

albertlieOP7y ago

But maybe will be good if you can provide the difference between envkey and vault or some similar stuff like AWS Parameter Store? Especially in reliability side

albertlieOP7y ago

Cool, thanks! I guess I'll go asking into your intercom website directly.

programd7y ago

I think you just answered your own question. As a bonus Red Hat just released a Vault operator so that you can run it on Kubernetes with minimal hassle.

https://github.com/coreos/vault-operator

albertlieOP7y ago

Interesting, thanks! How is your experience using that in production?

imauld7y ago

https://github.com/fugue/credstash

https://aws.amazon.com/secrets-manager/

albertlieOP7y ago

Thanks! How is your experience using that in production?

imauld7y ago

Unfortunately I haven't gotten a chance to use them in Prod. We used a homegrown process at my last company and we use Vault at my current company (which I haven't even used directly yet).

I mostly like credstash because I independently arrived at the same design for securing secrets before I knew it existed. And many of my security minded friends are excited to try out the AWS service.

digianarchist7y ago

CyberArk

j / k navigate · click thread line to collapse

11 comments

gtsteve7y ago

My company uses AWS and started before Parameter Store and Secrets Manager and we try to not run our own infrastructure where possible because we are very small and don't have a big ops team.

We simply store our secrets in a KMS-encrypted file in S3. When containers start up, they have a bootstrap script that deserializes it and fills it with the appropriate variables.

At some point though I think we will look at Parameter Store and Secrets Manager. If I were starting this company again, that's where I'd look first.

sharmi7y ago

Not affiliated to the below company. I came across it a few days back. Have not used it either. Just passing it on hoping it will help.

https://www.envkey.com/ helps manage your team's secrets and configuration.

danenania7y ago

Founder of EnvKey here - thanks for the mention!

I'm happy to answer questions about it here if anyone has them!

albertlieOP7y ago

But maybe will be good if you can provide the difference between envkey and vault or some similar stuff like AWS Parameter Store? Especially in reliability side

albertlieOP7y ago

Cool, thanks! I guess I'll go asking into your intercom website directly.

programd7y ago

I think you just answered your own question. As a bonus Red Hat just released a Vault operator so that you can run it on Kubernetes with minimal hassle.

https://github.com/coreos/vault-operator

albertlieOP7y ago

Interesting, thanks! How is your experience using that in production?

imauld7y ago

https://github.com/fugue/credstash

https://aws.amazon.com/secrets-manager/

albertlieOP7y ago

Thanks! How is your experience using that in production?

imauld7y ago

Unfortunately I haven't gotten a chance to use them in Prod. We used a homegrown process at my last company and we use Vault at my current company (which I haven't even used directly yet).

digianarchist7y ago

CyberArk

j / k navigate · click thread line to collapse