undefined | Better HN

0 pointsbluelightning2k1y ago0 comments

I've always wondered this. Seems like a password to get more passwords is potentially actually less secure (as in practice people will reuse master keys and they might actually increase the surface area, or make it a persistent threat after the keys themselves rotate)

0 comments

jitl1y ago

In AWS and other clouds, you application can use an infrastructure provider API to create a secure session to access infrastructure APIs with per-application-instance credentials that are automatically rotated and can be used only by that instance. These APIs are how the cloud provider themselves provides environment variable injection features, but if your application consumes these APIs directly you can avoid having decrypted secrets hanging out in environment variables as a middleman between your app and the cloud runtime.

Typically the application instance sessions are automatically rotated very frequently, AWS’s sessions are limited to 6 hours for example.

vinnymac1y ago

Dotenvx has a cloud hub from which the keys can be pulled. I imagine an eventual feature will be for the keys to expire, and you’ll have to re-authenticate with the cloud to get new credentials, just as you would with AWS.

j / k navigate · click thread line to collapse

0 pointsbluelightning2k1y ago0 comments

0 comments

jitl1y ago

Typically the application instance sessions are automatically rotated very frequently, AWS’s sessions are limited to 6 hours for example.

vinnymac1y ago

j / k navigate · click thread line to collapse