In some cases we’re out-right open sourcing these things and making them available on GitHub for the world. The second is that we increasingly desire for our application, scripts, tools, and config management to be publicly accessible. That suggests that we should “bake” the secrets into our images or go with configuration management, assuming the latter is even possible (which for Docker containers isn’t). This means that manually placing secrets isn’t practical, and in some cases not even possible. Not only more, but the lifespans are shorter, in some cases they exist for only minutes. The first is that we run more “servers” (VMs, Instances, Containers, etc) now than we did in the past. There are several problems we face today which make this a more pressing problem than in the past. So lets step way back and ask ourselves a question: Why do we need secrets management? A more portable solution has been to share the secrets in a database or web server of some type which is protected by SSL/TLS and/or some other type of key… but the inevitable problem is, how do you get the key on the system? The answer is to go back to the beginning of this cycle, an administrator puts it there during installation or puts it in Config Management…. ![]() Today, clouds like AWS have strict access policies (IAM in AWS) which can be inherited by resources (such as EC2 instances) to provide access to databases (like Dynamo) or S3 buckets which contain the secrets, which works well in cloud with this type of support but aren’t portable. When Configuration Management appeared, these secrets were placed in Chef, Puppet or CFEngine. In the past these types of secrets were manually put on servers by an administrator during installation. Secrets Management, on the surface, is a way of centralizing sensitive information which is usually the means by which to access yet more sensitive data, such as user/pass to a database containing customer data. Toward this paradigm shift I’d like to expend some consideration. ![]() ![]() However, on consideration, we can find a much more profound architectural paradigm hiding beneath the surface which is obvious to some users in situations that demand them, but much more difficult to grok for those in environments less in need. Much like Docker before it, these solutions have a simple and straight forward utility that anyone can appreciate. Each has its particular strengths and competition in any space is a healthy thing. We have seen an explosion of solutions arise in the secrets management space over the last 2 years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |