Decoding Security: Secrets Manager or Environment Variables?
Let me tell you how I ended up at a point where I started using Secrets Manager.
I was building my portfolio application (summy.dev) and I wanted to use some 3rd party apis for my application. I wanted to store the access tokens and as a common Joe, I was storing it in environment variables while the application was in development phase. I wanted to take it live with my infra set up at Google App Engine and my CI/CD via GitHub action.
I broke my back trying to figure out how to inject environment variables to Google App Engine in a safe and secure manner. A lot of digging went through but I couldn’t discover options that were simpler safer than what I was already doing. Some suggested having it over the yml config of App Engine and to inject into environment from there or to have it in my CI/CD process to inject the environment variables.
All these methods had one thing in common — They asked me to keep my secret access token in code repository. Nope! that’s not safe right as I already mentioned.
How about setting up environment variables directly in App Engine? Sounds safe enough to me but App Engine doesn’t support that.
Whaat?!
Yes! I too had the same expression. How can it not support something as crucially required as environment variables for secrets storage? then I discovered a few videos on YouTube by Google to understand the why part of it. I highly recommend you watch this video.
Let’s dig in!
The key difference between using a Secrets Manager v/s Environment Variables can be split up into three key areas.
- Security
- Flexibility
- Management Capabilities
Security
Environment Variables
Well I do agree that environment variables are pretty convenient to use especially for storing sensitive information such as API Secret tokens, DB access keys etc but the main drawback of it is they can potentially be accessed and abused by anyone with access to the system and or through logging mechanisms.
Secrets Manager
The best thing about this is it provides a secure means to store secrets by encrypting them at rest and in transit. Along with that it provides other value added services like fine grained access control, auditing, rotation policy etc. enhancing overall security.
Flexibility
Environment Variables
They are typically straight forward to use. They can be used in applications without any additional setups to be done but the catch is they become nerve wrecking when you have to maintain large number of keys multiplied by different/multiple environments.
Secrets Manager
Best thing about this is it offers more flexibility when it comes to managing secrets centrally. It allows you to store not just key-value pairs but as well complex data structures. It tops it up by providing APIs and SDKs for accessing secrets programatically making integrations with your apps much easier.
Management
Environment Variables
Environment variables might be quickest way to get started easily but managing them becomes tough as it often involves manual processes such as updating configurations on each system individually which might result in inconsistencies and potential security risks if not handled properly since it involves human intervention.
Secrets Manager
Since it is centralized management for secrets allowing us to easily CRUD secrets through its interface or APIs and also it supports neat features like automatic rotation of secrets, helping us maintain secrets without human intervention.
Summary
For storing secret, a Secrets Manager is the best choice.
Secrets Manager services are available with Google Cloud Program as well as with AWS.
P.S — Feel free to reach out to me if you need hand in setting up secrets manager in your application.
