DEV Community 👩‍💻👨‍💻

Discussion on: How To Config

jfhbrook profile image
Josh Holbrook Author • Edited on

A reader on Twitter suggests that secrets may be read directly from Vault, skipping over environment variables completely. I wouldn't throw out environment variables entirely, for reasons already mentioned in the post, but I think the argument for connecting to Vault directly has merit - and I wanted to describe how this fits in with what I've written here more fully.

I mentioned that you can use environment variables to "bootstrap" connections to more sophisticated configuration stores, such as a database. I'm sure there are people that would fight me on this, but I consider Vault and other secret stores as special cases of these databases. From this perspective, connecting to Vault from your application is consistent with this post.

This has the minor downside that your app now has to know what Vault is, whereas it knowing what environment variables are was a given. However, it has the advantage of having those secrets ending up "at rest" in fewer places. Each time a secret is assigned to any variable, it becomes an entity which may be accessed by other code - for instance, if you naively run print(os.environ) in Python and your secrets are in the environment variables, you've just logged secrets to plaintext - congratulations.

Of course, connecting to Vault directly isn't a silver bullet - you can log the secrets after they're extracted from Vault as well - but it should make it easier to use closures and scope to manage the capability of other objects to access those secrets. At the end of the day, we can all stand to be more security-conscious, and connecting to your secrets store from your app may be part of this.