On DevOps — 11. Secret Management — an Introduction to Secret Manager (HashiCorp Vault, AWS Secrets Manager), and Best Practice

Tiexin Guo
4th Coffee
Published in
8 min readFeb 21, 2021

--

Ponte 25 de Abril, Lisbon, Portugal

According to my plan, this topic should come later in this series, because normally after you talk about infrastructure as code, you talk about configuration management. And since secrets management is a topic related to many other things (like how to use it inside your configuration management, how to use it in your compute resources like Kubernetes), it’s better to introduce this topic after discussing configuration management and Kubernetes.

But because recently I did quite some work on this topic, I’d like to share it now to make hay while the sun shines as a summary of my recent thoughts and work. So forgive me for being illogical this time.

Secret, Secret

In the field of software development and information technology, no matter what you do, chances are, you can’t do it without secrets.

When you are developing an app, the app itself might need access to a database, so it needs the password. Or maybe the app talks to another API that requires authentication, so you need a token, which is a secret.

You can’t put the secret in your version control system either because that’s dangerous.

When you created the database you were going to use for that app, you need to generate a secret and save it somewhere safe.

When you launch your virtual machine, you might need to provide an initial password too.

In your CI system, you might want to write back something to your version control system (for example, build status, tags, etc.) so you gotta create a user for your CI and save your password somewhere safe so that your CI system can read it.

In your CD system, you might want to SSH into a machine using a private key to do deployment; or maybe you don’t use virtual machines, but instead, you have containers running in a Kubernetes cluster, in which case, you still need to manage the access from your CD system to your Kubernetes cluster.

Secrets are literally involved in every single stage of the software development cycle, and that is why you need to manage them properly.

--

--

Tiexin Guo
4th Coffee

ex-AWS Sr. DevOps Consultant, CNCF Ambassador