undefined | Better HN

0 pointskodah3y ago0 comments

Credentials in a config file can be mistakenly checked into a repository. They're easy to exfiltrate from files, say I write a script with well known configuration locations for thousands of applications and just dumbly pull them all from a compromised system. I now have little bits of access to the wider system where I can now jump from system to system.

The best way to store ephemeral secrets is in an environment variable or /dev/shm. This locks the secret behind the scope of the parent process (shell instance) and the user.

0 comments

dvt3y ago

I don't get this logic, that's what .gitignore is for. I've been using .env files for years and never mistakenly checked one into a repo.

mountainriver3y ago

This happens literally all the time in large organizations. People make mistakes

bottled_poe3y ago

And should be easily caught in code reviews and CI jobs?

3 more replies

kristjansson3y ago

It’s not just to protect secrets, it’s better architecture. Rely on an ACCESS_ID/SECRET_KEY pair and it’s easy to bind too tightly to that authentication mechanism. Then providing credentials in production is a pain. Use the standard credential provider chain and the transition to production settings is trivial.

sverhagen3y ago

Even if you want your credentials in SOME file, you don't want them in THAT file. Because that configuration file contains enough valuable configuration that SHOULD be in Git, in which case the credentials would be in the way.

kodahOP3y ago

idk what to tell you. I work on a security team, one of the tools the team built finds and identifies secrets already checked into VCS or ones at the pre-commit stage. It's certainly not a seldomly used tool.

mdaniel3y ago

I believe GP's comment is at the intersection of "the chain is only as strong as its weakest link" and "defenders have to be correct every time, attackers just once"

fwip3y ago

Defense in depth. It only takes one person on your team accidentally committing one file for one service before your .gitignore safeguard is no longer guarding anything.

belthesar3y ago

Tell that to Solarwinds.

dboreham3y ago

Still a bad idea though.

osrec3y ago

How do you automate setting that environment variable?

dboreham3y ago

For a specific example of one way how : https://github.com/99designs/aws-vault

toomuchtodo3y ago

Injection into the environment (container config, Docker, k8s, etc) or the execution context. The actual mechanics are highly dependent on where your secrets are and where they’re going for use. On a dev workstation, could just be some bash or Python using the AWS cli, for example.

j / k navigate · click thread line to collapse

0 pointskodah3y ago0 comments

The best way to store ephemeral secrets is in an environment variable or /dev/shm. This locks the secret behind the scope of the parent process (shell instance) and the user.

0 comments

dvt3y ago

I don't get this logic, that's what .gitignore is for. I've been using .env files for years and never mistakenly checked one into a repo.

mountainriver3y ago

This happens literally all the time in large organizations. People make mistakes

bottled_poe3y ago

And should be easily caught in code reviews and CI jobs?

3 more replies

kristjansson3y ago

sverhagen3y ago

kodahOP3y ago

mdaniel3y ago

I believe GP's comment is at the intersection of "the chain is only as strong as its weakest link" and "defenders have to be correct every time, attackers just once"

fwip3y ago

Defense in depth. It only takes one person on your team accidentally committing one file for one service before your .gitignore safeguard is no longer guarding anything.

belthesar3y ago

Tell that to Solarwinds.

dboreham3y ago

Still a bad idea though.

osrec3y ago

How do you automate setting that environment variable?

dboreham3y ago

For a specific example of one way how : https://github.com/99designs/aws-vault

toomuchtodo3y ago

j / k navigate · click thread line to collapse