undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointscorobo5y ago0 comments

That would require no secrets. All it takes is a misclick into a .env file.

I’d assume you’re not coding on a production system so your secrets shouldn’t be too hard to revoke, cycle them after your stream and any time you leak them.

0 comments

8 comments · 3 top-level

xxpor5y ago· 5 in thread

Secrets should really be stored in services, not files outside of maybe a single bootstrap file (unless you're working on the secret storage service itself).

I generate my secrets once, send them off to the secrets service, and then my service queries that service. I never see the secrets with my own eyes.

this-pony5y ago

This sounds like a turtles all the way down kind of think... Then is it OK to keep the secret of the secrets service, or something in that sense.

dfee5y ago

The idea is that you keep the name of the secret, and grant access to the secret manager via roles / policies which are generally open to devs on a subnet for a development environment but locked down in production environments.

tnorthcutt5y ago

Can you expand on this? What service do you use to store your secrets?

dividedbyzero5y ago

What are you using for this? This sounds like a neat setup.

coroboOP5y ago

It is a single bootstrap file, it bootstraps your env variables

I've not come across what you describe

evan_5y ago

Put a couple hundred line breaks at the top of your .env file so if you open it it’s just white space

VikingCoder5y ago

I think we're probably agreeing with each other, except I'm not willing to call those things "secret." They're public. If you can plan to properly publicize something, great. But work _hard_ to make sure you're really okay publicizing it.

j / k navigate · click thread line to collapse