Manage Secrets in your GitHub, the source of Truth
As you all would know already, GitHub is the popular VCS among the Dev community, and living within it definitely gives the best, comfortable, and at-home experience for the developers
That being said, none of us are always comfortable in managing the application secrets in GitHub as plain text and end up maintaining in different pockets, such as - within the CI-CD tool; within Vault, and tools like that
While all those ways of managing the secrets are absolutely fine, it doesn’t give a good developer experience (ie, managing kinds of stuff in one place — centrally)and have the developer deal with various tools. I would strongly recommend managing the secrets in GitHub (and also leveraging GitOps in the future — Not covering GitOps in this blog)
Mozilla SOPS: Secrets OPerationS — is the best solution (or maybe one of the solutions) to this problem. Yes, it's a handy CLI and supports encrypting popular file formats with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
Here I am going to demo on how to use sops with GCP KMS
Pre-requisites
- sops CLI
- Gcloud SDK
- An account or project in GCP
Login to GCP using gcloud SDK using the below command
gcloud auth application-default login
Create Keyrings and keys
gcloud kms keyrings create my-keyring --location globalgcloud kms keys create my-key --location global --keyring my-keyring --purpose encryption
Maintain .sops.yaml
and do not give the flag--gcp-kms
Again in the Declarative vs Imperative battle, I would choose to be Declarative
Maintaining the configurations declaratively is prescribed and feeding the SOPS command-line with --gcp-kms
flag is something that I wouldn’t recommend.
So create a file named .sops.yaml
and maintain the creation rules there as given below.
Get the name of the key from GCP by running the below command (you have to provide the appropriate keyring’s name. Here I have used my-keyring
)
gcloud kms keys list --location global --keyring my-keyring
Copy the full name of the key and then put it in your .sops.yaml
file
---creation_rules:- gcp_kms: projects/arun-project-308015/locations/global/keyRings/my-keyring/cryptoKeys/my-key
Encrypt and Decrypt using sops
CLI
You are now all set and can start to encrypt and decrypt the secret files
The commands are
sops --encrypt WHATEVER_FILE_NAME > OUTPUT_FILE_NAME
sops --decrypt ENCRYPTED_FILE_NAME > ANY_FILE_NAME
So now you can maintain the encrypted files in your GitHub repo and decrypt them in your CI-CD layer before applying those secrets into your platform. Ensure that proper IAM access is around the principal who would log in to gcloud
and run encrypt-decrypt commands.
Thanks
Arun
Am reachable on Twitter — https://twitter.com/arun_dot_com