Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Improved secrets management #58

Open
timbod7 opened this issue Aug 28, 2021 · 3 comments
Open

Proposal: Improved secrets management #58

timbod7 opened this issue Aug 28, 2021 · 3 comments

Comments

@timbod7
Copy link
Contributor

timbod7 commented Aug 28, 2021

Inspiration:

https://www.fpcomplete.com/blog/announcing-amber-ci-secret-tool/

Implementation:

An assymetric keypair is created in AWS KMS (Key Managment System). The public half of the key is exported to the infrastructure code repo. The private key never leaves (in fact cannot leave) the KMS system.

Secrets are stored in a json file in the infrastructure code repo. The json file is not encrypted, but each individual secret is. An example secrets file:

{
   "encryption_public_key" : "...",
   "secrets": {
       "db_password": "MIB234Sdf@#$5Ssdfsf3234sffSEWR#$TG%^&^&ED#$%#%^DVGXRT%^KLO$%%",
       "auth0_access_key": "...etc...",
   } 
}

A command line tool would be available to developers to add/update secrets in the above file. Note that this tool functions without access to live AWS. With the public key in the file, secrets can be written, though not read. That way developers with access to the git repo can update secrets, revert them, and see when they have changed, but not decrypt and view them.

This file would be mirrored into S3 via the generated terraform.

Server side applications would specify secrets in config via a new ADL types:

union Secret {
   String cleartext;
   String encrypted;
}

In the server config file, with the current approach a secret present in cleartext would appear as:

{
     ...
     "db_password" : {"cleartext",  "xyzzy"},
     ...
}

Going forward, however, the existing camus2 config interpolation would interpolate the encrypted secrets:

{
     ...
     "db_password" : {"encrypted",  "MIB234Sdf@#$5Ssdfsf3234sffSEWR#$TG%^&^&ED#$%#%^DVGXRT%^KLO$%%"},
     ...
}

the server code would be permissioned to access AWS KMS in order to be able to decrypt such secrets
as required.

Benefits:

  • secrets are managed and versioned with git, with associated audit history
  • other than on initial import, devops never see or deal with cleartext secrets
  • no error prone manual management of secrets in the AWS secrets manager
  • no cleartext secrets present anywhere, except in server memory on use
  • encryption private key never leaves AWS KMS
  • access to decryption is controlled via AWS IAM permissions and roles.
@barryskal
Copy link
Member

Looks great @timbod7
Just one question:

A command line tool would be available to developers to add/update secrets in the above file

Would it be possible to get the tool to also read secrets? I know that we would probably keep copies of some secrets in a project specific bitwarden or similar. However, that will only store 1 copy of the secret. If I check out a really old code version, I may want to see what value was used for the secret.

@paul-thompson-helix
Copy link
Member

Would java server code use the AWS SDK to use AWS KMS to decrypt such secrets
as required ?

@paul-thompson-helix
Copy link
Member

How would DB password work (on the DB side?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timbod7 @barryskal @paul-thompson-helix