DEV Community

Discussion on: Protecting and syncing secret keys

Collapse
andrewbrown profile image
Andrew Brown 🇨🇦

AWS has two different services for handling sensitive application configuration.
Secrets Manager and SSM Parameter Store. One cost pennies and the other is free.

Instead of rolling your own I would suggest these services as you can apply envelope encryption.

If you are running AWS EC2 instances you don't need to embed AWS credentials as they are passed securely to the instance already via roles.

If you are using the AWS Credentials directly as a user you can apply MFA to include another layer of protection.

Collapse
pavelloz profile image
Paweł Kowalski • Edited on

There is also AWS KMS (i think its recommended by AWS nowadays)

On github there is also "secrets" under repo /settings/secrets - if you use github actions. GHA then can set environment variables based on secrets value.

And of course universal method (assuming you use git) - git crypt - if you insist on keeping those in files in repo.

Collapse
andrewbrown profile image
Andrew Brown 🇨🇦

When I was mentioning envelope encryption on Secrets Manager or SSM Parameter Store that is using KMS. So you checkbox encrypt and choose a key from KMS.