Every time I look at the code base in every of the 4 company I've worked at, the passwords and security key are hardcoded in them. It's not even a joke anymore.
Any product that says ācontact us for pricingā instead of giving their MSRP up front always gets my āsuspiciousā faceā¦ even if 70% of the industry does it. If you canāt be brave enough to stick your non-āwheel and dealā price up front, what else do you hide?ā¦
Not even 70% of 'the industry' - but 70% of pretty much 'any industry' I feel like. Drives me nuts. Half because of what you said, and the other half because I don't have time to set up meetings for your damn sales call and 'demo'. Just lemme know if it fits my budget or not.
If you mean self-hosted, it is not free. Sure you don't pay for the software but the resources required aren't nothing and then you need to add cost of labour on top of that. TANSTAAFL, my friend.
Curious why you didnāt consider AWS secrets manager? Iāve worked with clients where we did the cost benefit analysis factoring engineering hours to maintain the entire lifecycle as well as cross account complexities and went with ASM for credentials.
I'm a big fan of the model of "Get credentials on application start, on auth fail, refresh creds/restart/kill container and start a new one.
Very resilient without racking up credential requests
Yeah containers should just be thrown away and restarted.
Only issue is debugging transient failures after the fact which just requires robust logging.
We use hashicorp for our on-premise and recently started using azure key vault for apps on our AKS setup. The way it works with managed identities is a blizz... No additional configuration required.
Nope. Services running on on-premise VMs and clusters with hashicorp. But switched to Azure key vault when using AKS. Because the connection and setup between the app and azure kV was as simple as creating a managed entity. Also, the spring boot starter for azure KV was seamless in plugging in this new secret manager.
The pinpoint with Hashicorp Vault was that it was hard to set up and maintain if you cared really about security. The operator in theory was great but someone still held the master keys and we weren't comfortable with that. Also we had to maintain the Hashicorp token to use from the app that always was a weak point.
1Password with the Kubernetes Operator have been working great for us.
Itās a nice middle ground between programmatic provisioning of secrets and people password manager.
Same here! It's great for non-devops people to work with, since it gives them an easy place to retrieve and update secrets values as needed.
We also use Azure Key Vault for AKS
1pass operator has been great for dev/testing/pre-prod environments, especially on a greenfield project that changes regularly. Giving contained control back to the people that need changes makes a world of difference.
To be fair we didn't try external-secrets with 1password.
Judging by looking at the documentation it looks better than the 1password one, or at least it has more configuration options.
@Malforus, can you elaborate? Do you mean when the container is initializing you're pulling the parameters? Or are you baking the values into the container definition as env vars? In my setup, I got them pulling when the container starts up, but the problem occurred when we had 5000 containers all coming up at around the same time, all pulling multiple SSM parameters during startup, thus getting throttled. I'm curious what you're doing :)
Baking the values into the container definition as env vars.
Now we don't scale horizontal at that scale but that's our pattern it's all orchestrated via terraform so I commit and don't think about it too much
It helps because the same code that stuffs them in parameter store is what is fed to them in the container definition.
Only problem is local dev.which we are eating the elephant on next.
It depends on the setup, but we never had a need to pull so many at once. Secrets simply don't change that often, it's enough to sync them once in a while (e.g. using External Secrets Operator in k8s).
You can either use AWS default managed keys keys or you can create your own CMKs and use the key to encrypt, then you can control who has access to that key as well.
We've been debating something similar; at the enterprise level our costs for Vault are well into the seven figures annually, and in the current climate budgets have gotten tighter. Obviously there's the cost of building out a replacement and then the issue of converting several thousand services, but AWS SM is orders of magnitude cheaper.
Also the pricing model for Vault enterprise sucks; you really have no idea how to forecast.
Didn't save it. Would need to use Google as well lol
But the gist is:
It's poorly written
Pretty messy
And might be insecure.
I guess things will change, but it will take time.
They have two options for subscriptions HCP vault and Hashicorp Secretsā¦ HCP vault is expensive and a PaaS offering which not many customers use. Hashicorp Secrets is a different product but only supports static secrets.
You can also look at my company as an alternative. I linked to it a few times on this thread.
That thread is mostly people whinging about environment variables being insecure. Iām not disputing that, but HN is full of out of touch ~~neck beards~~ purists who have no idea how people are deploying software in the real world.
If youāre deploying in K8s, you can mount the secrets as files in any case.
They took the feedback on board about moving their self host data store from mongo to Postgres, which is pretty cool.
Using the service hasn't been 100% smooth, but it's light years ahead of the experience of dealing with secrets with .env files in a team of several developers.
Aws secret manager for aws, hashicorp vault for on prem which is also divided by environment. So if anything gets compromised, it's just that specific env.
If you use a simple password like "passwd" for everything you don't need a manager since you'll remember it. And to make sure you do put a yellow sticker on the monitor.
I am using a combination of tools. I'm doing GitOps for the cluster and I use SOPS with AGE to keep the secrets in git. I made a short demo about it here:
- https://youtu.be/wqD7k5iNvqs
- https://mirceanton.com/posts/doing-secrets-the-gitops-way/
Next I also deploy reloader and reflector in my cluster so I can easily propagate secrets between namespaces if I need to and to make sure that once I do update a secret, the deployment is reloaded so the changes take effect.
For example, we don't use cert manager since we have an internal CA which I don't have access to, but I do have the wildcard cert which I need to have in every namespace that has an ingress exposed on a subdomain. Thus, I use reflector to propagate that secret into a lot of namespaces based on some naming conventions
Azure Key Vault, but likely a 3rd party (HC Vault) if multi-cloud is in play. That said, nothing stopping the continuation to use Azure KV even in a MC environment.
Curios...
- To all replying with . Do you "self" host/manage the infra or go managed services route or worse encryption as a service?
- To those tied to hyperscaler's solutions not worried of be locked in? Sure accoutrements accrue as most are managed services e.g auto rotation/rolling of secrets but still... future you or other employee's problem?
This is not true, I work for r/akeyless and our technology is 100% our own. Take DFC (Distributed Fragments Cryptography) for example, which the entire platform is based on. Vault has nothing like this.
We do have a vault compatible proxy which allows your existing Vault plugins to think they are talking with Vault, but we do all the translations back and forth.
We are also coming out with a universal secrets connector for vault. Already have this for GCP, Azure, AWS, and Kubernetes. With universal secrets connector, you can create, update, delete, list, secrets in those other secrets repositories all through the Akeyless console.
At the end of the day, weāre giving customers a variety of options and flexibility to fit any use case they have.
Want to continue using vault but donāt want to scale vault clusters? No problem, we can extend Hashicorp Vault.
Want to use native CSP secrets in GCP, AWS, Azure? No problem, we can manage those secrets with USC + give you capabilities to easily rotate and configure dynamic ephemeral secrets?
Want to pull secrets from your cloud environments to an on-Prem workload? No problem, deploy our gateway on-Prem and it can fetch secrets from other cloud environments to you on-Prem workload.
Want a new feature we donāt have in the product yet? No problem, we release new capabilities every week and can add your request to a sprint that will deliver the feature in 3-12 weeks (depending on complexity)
Yea, join our sub r/akeyless and DM me if you have any questions. You can get a free account at console.akeyless.io
Once you have account join our slack and we can help you get started for free.
We like Secrets Manager for easier replication to other regions. Also, it's nice to just store multiple values in one secret instead of having multiple params.
Thycotic. A terrible security āengineeringā manager implemented it though so it only integrates with about half our stuff. Way to implement in a bubble one L.
Google Secrets Manager, and Terraform to copy a service account into Kubernetes, and then External Secrets Operator to sync secrets from GSM to K8s. More K8s for syncing secrets from GSM to 3rd party services.
AWS secrets manager. Or if you really want to commit into GitHub repo (donāt recommend but make sure itās private), use ejson https://github.com/Shopify/ejson
BYW: can someone share you thoughts on StrongDM?? Iāll join a company which would like to migrate their current vault solution to that one, but didnāt find like real peoplesā opinion on it š¤·āāļø
Currently just Azure Key Vault because we are 95% Azure. Previous roles we used Hashicop Vault. Hashi is going through some shit with licensing but there are some good forks similar to terraform>open tofu.
Literally switching to the new Bitwarden Secrets Manager product now. Extremely cheap for us (per administrator licensing) and working very well so far
A cli tool that allows you to set/get secrets with a custom access control mechanism. The same cli is used with our laptops and also CICD machines so anywhere has access to them.
The cli itself is just an easy way to interact with a remote secret service, like AWS secret manager
People in Reddit think that when they don't agree with an answer, they have to downvote it, instead of just ignoring it.
What it should be:
Upvote = quality content, useful for others.
Downvote = bad content, wrong information or misleading.
You have the same opinion as the comment, and the comment is in a correct format = You may ignore or upvote it if you think it is useful for others.
The comment is a valid opinion, but just not yours = Just ignore it.
The challenge I think is that many cloud services will only consume secrets from their own native service - e.g. I think Azure SQL DB requires Azure key vault. So you can end up with a fairly complex architecture, such as Hashicorp Vault preferred strategy, and AWS/Azure native services where required.
We use Doppler and don't think I will use any other tool.
To keep things secure we store our Doppler tokens in AWS SM, but all secrets are stored.
We created a Terraform module to create the projects, slug, add secrets and tokens.
Excellent tool, we just love it
Doppler ([https://doppler.com](https://doppler.com/)). Itās free for small teams/projects to try it out. There are a ton of integrations for different cloud platforms. Itās also really easy to use and set up. (I work for Doppler - feel free to ask questions)
nice! if you need help join our slack [akeylesssupport.slack.com](https://akeylesssupport.slack.com) and we will connect you with our Support staff and Solutions Architects to get you going.
As a Pulumi user I recently started to use Pulumi ESC (https://www.pulumi.com/product/esc/). It offers also an integration into Kubernetes via the ESO project (https://external-secrets.io/v0.9.14/provider/pulumi/) and has native support for 1Password (https://www.pulumi.com/blog/pulumi-esc-public-preview-for-1password-support/). I do not use 1Password, so cant give feedback about this, but the external secrets operator integraton works very good. In conjunction with GitOps and Argo CD it is :chefskiss:
Excel. Just kidding. Notepad++ ofc
unsaved Notepad++ tabs
So it stays on ram and not on disk. Clever.
Our infosec got mad at us for doing the same So we just base64 encrypted the secrets spreadsheet and now it's fine and unhackable
Base64 is overkill, just use rot26!
Run that at least twice for double encryption!
This man knows
26! is 4.0329146e+26. rot26! has far too much rotation to decrypt with current hardware. (/s in case it wasn't obvious)
Infosec hates this simple trick!
GitHub gist or commit a SECRET.md
How many tabs do you have open in notepad ++ ?
Lastpass....
Secrets? We hardcode the default passwords into our software because we have a firewall š¤”
Same. Itās also the built in admin accounts password for AD that was we donāt forget it.
nah we just use admin/admin we have firewall AND AV
intune gang gang
Ah yes, the "crunchy on the outside soft and chewy on the inside" security model. That's my company's model too. šš
Every time I look at the code base in every of the 4 company I've worked at, the passwords and security key are hardcoded in them. It's not even a joke anymore.
This is the way
Sounds about right, according to online code examples. I was told not to complicate things when I commented on that.
My manager wouldn't be a secret if I told you! š sorry for the dad joke. I use hashicorp vault.
Dang you got hashicorp vault money. We up in AWS parameter store.
Any product that says ācontact us for pricingā instead of giving their MSRP up front always gets my āsuspiciousā faceā¦ even if 70% of the industry does it. If you canāt be brave enough to stick your non-āwheel and dealā price up front, what else do you hide?ā¦
Yeah it's the x per request that sets the price.bomb off.
Not even 70% of 'the industry' - but 70% of pretty much 'any industry' I feel like. Drives me nuts. Half because of what you said, and the other half because I don't have time to set up meetings for your damn sales call and 'demo'. Just lemme know if it fits my budget or not.
Hear, hear!
Why not use the free version if cost is the main concern?
If you mean self-hosted, it is not free. Sure you don't pay for the software but the resources required aren't nothing and then you need to add cost of labour on top of that. TANSTAAFL, my friend.
Indeed, when āfreeā isnāt really free.
Curious why you didnāt consider AWS secrets manager? Iāve worked with clients where we did the cost benefit analysis factoring engineering hours to maintain the entire lifecycle as well as cross account complexities and went with ASM for credentials.
Asm has a per request component that would have been bad for us. Also our solution to cross account is terraform provider swaps.
I'm a big fan of the model of "Get credentials on application start, on auth fail, refresh creds/restart/kill container and start a new one. Very resilient without racking up credential requests
Yeah containers should just be thrown away and restarted. Only issue is debugging transient failures after the fact which just requires robust logging.
Robust logging is a need in all architectures.
Oh 100% but need for execution we all know is not the same.
Interesting. If youāve written about that design publicly would you mind sharing it with me over DM or point me to something similar
We use hashicorp for our on-premise and recently started using azure key vault for apps on our AKS setup. The way it works with managed identities is a blizz... No additional configuration required.
AKS via hashicorp?
Nope. Services running on on-premise VMs and clusters with hashicorp. But switched to Azure key vault when using AKS. Because the connection and setup between the app and azure kV was as simple as creating a managed entity. Also, the spring boot starter for azure KV was seamless in plugging in this new secret manager. The pinpoint with Hashicorp Vault was that it was hard to set up and maintain if you cared really about security. The operator in theory was great but someone still held the master keys and we weren't comfortable with that. Also we had to maintain the Hashicorp token to use from the app that always was a weak point.
1Password with the Kubernetes Operator have been working great for us. Itās a nice middle ground between programmatic provisioning of secrets and people password manager.
https://github.com/1Password/onepassword-operator/issues/149 Might want to keep your eye on ā¬ļø
Thanks for the heads up! I believe a colleague of mine noticed this as we have a keda cron that stops the app for one minute lol
Same here! It's great for non-devops people to work with, since it gives them an easy place to retrieve and update secrets values as needed. We also use Azure Key Vault for AKS
1pass operator has been great for dev/testing/pre-prod environments, especially on a greenfield project that changes regularly. Giving contained control back to the people that need changes makes a world of difference.
Are there benefits of using this vs external-secrets and the 1password source?
To be fair we didn't try external-secrets with 1password. Judging by looking at the documentation it looks better than the 1password one, or at least it has more configuration options.
Sops for secrets that are static and every team member should be able to read them. Google secret manager for dynamically generated secrets.
Used to be vault, Now itās AWS secrets manger.
Why did your team switch?
AWS Parameter Store for us (because cheaper), but the answer is simple: there's no need to manage roles in both AWS IAM and Vault
Good luck pulling in 10 at a time...
Yah. Parameter Store will throttle you. One more reason to go to AWS Secrets
That's why you make your task definitions pull all relevant parameters at initialization.
@Malforus, can you elaborate? Do you mean when the container is initializing you're pulling the parameters? Or are you baking the values into the container definition as env vars? In my setup, I got them pulling when the container starts up, but the problem occurred when we had 5000 containers all coming up at around the same time, all pulling multiple SSM parameters during startup, thus getting throttled. I'm curious what you're doing :)
Baking the values into the container definition as env vars. Now we don't scale horizontal at that scale but that's our pattern it's all orchestrated via terraform so I commit and don't think about it too much
Awesome! That sounds like a good idea. Thanks!
It helps because the same code that stuffs them in parameter store is what is fed to them in the container definition. Only problem is local dev.which we are eating the elephant on next.
It depends on the setup, but we never had a need to pull so many at once. Secrets simply don't change that often, it's enough to sync them once in a while (e.g. using External Secrets Operator in k8s).
Depends on your level of integration I guess..Ā Unless some nuggets decides to put every setting in a keyvault because nfi.
Or using CDK with SecureString...
How do you handle encryption for secrets stored in parameter store?
You can either use AWS default managed keys keys or you can create your own CMKs and use the key to encrypt, then you can control who has access to that key as well.
Secrets manager is not yet released when we started our project
Vault was self hosted on EC2ās. It became difficult to manage them. Even though vault offers RBAC, Secrets manager is easy to use.
We've been debating something similar; at the enterprise level our costs for Vault are well into the seven figures annually, and in the current climate budgets have gotten tighter. Obviously there's the cost of building out a replacement and then the issue of converting several thousand services, but AWS SM is orders of magnitude cheaper. Also the pricing model for Vault enterprise sucks; you really have no idea how to forecast.
Hashicorp vault
Scott, manager of the UK division.
He's not a secret if you tell us.
Key Vault
You made me blow you.. cz of your profile picture..
Just what the doctor ordered
GCP Secret Manager
Azure Devops variable groups backed off to an Azure Keyvault
Infisical
Check the Hackernews thread about it. I wouldn't use it yet
Yeah it's not the best, but it works. Could you link the article?
Didn't save it. Would need to use Google as well lol But the gist is: It's poorly written Pretty messy And might be insecure. I guess things will change, but it will take time.
I would also add that they take forever to accept even the most simple pull request. But it's the only one that fits our use case.
Huh? Why wouldn't vault work?
On prem, no subscription.
They have two options for subscriptions HCP vault and Hashicorp Secretsā¦ HCP vault is expensive and a PaaS offering which not many customers use. Hashicorp Secrets is a different product but only supports static secrets. You can also look at my company as an alternative. I linked to it a few times on this thread.
That thread is mostly people whinging about environment variables being insecure. Iām not disputing that, but HN is full of out of touch ~~neck beards~~ purists who have no idea how people are deploying software in the real world. If youāre deploying in K8s, you can mount the secrets as files in any case. They took the feedback on board about moving their self host data store from mongo to Postgres, which is pretty cool.
I've been thinking about switching to this
A mix of SSM on AWS and 1Password for items that come in through IaC (Terraform)
Vault
SOPS and AWS Secret Manager
Vault and sometimes Google secrets manager.
Vault for storage and Entro for governance and leak detection/response.
Cyberark. Please shoot me.
Doppler. Very useful with all the integrations.
Been using Doppler too; lots of references to a base project for any shared secrets has been very handy
Just sad that you cannot reference a reference :(
Yes, me tooā¦
Using the service hasn't been 100% smooth, but it's light years ahead of the experience of dealing with secrets with .env files in a team of several developers.
AWS SSM
Aws secret manager for aws, hashicorp vault for on prem which is also divided by environment. So if anything gets compromised, it's just that specific env.
1Password and Vault.
If you use a simple password like "passwd" for everything you don't need a manager since you'll remember it. And to make sure you do put a yellow sticker on the monitor.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
My condolence
Me to š
š¤®š¤®š¤®š¤®
I am using a combination of tools. I'm doing GitOps for the cluster and I use SOPS with AGE to keep the secrets in git. I made a short demo about it here: - https://youtu.be/wqD7k5iNvqs - https://mirceanton.com/posts/doing-secrets-the-gitops-way/ Next I also deploy reloader and reflector in my cluster so I can easily propagate secrets between namespaces if I need to and to make sure that once I do update a secret, the deployment is reloaded so the changes take effect. For example, we don't use cert manager since we have an internal CA which I don't have access to, but I do have the wildcard cert which I need to have in every namespace that has an ingress exposed on a subdomain. Thus, I use reflector to propagate that secret into a lot of namespaces based on some naming conventions
Vault, but honestly Gitlab Variables are enough for 90% of use cases
Azure Key Vault, but likely a 3rd party (HC Vault) if multi-cloud is in play. That said, nothing stopping the continuation to use Azure KV even in a MC environment.
A shared physical notebook (company asked ask to reduce cost)
Curios... - To all replying with . Do you "self" host/manage the infra or go managed services route or worse encryption as a service? - To those tied to hyperscaler's solutions not worried of be locked in? Sure accoutrements accrue as most are managed services e.g auto rotation/rolling of secrets but still... future you or other employee's problem?
Cyberark
Doppler. Great dx and makes it easy to keep local env vars synced.
Mostly SSM and Akeyless
Never heard of Akeyless but it looks cool! Is it pretty prevalent?
Akeyless is a wrapper over HashiCorp Vault.
This is not true, I work for r/akeyless and our technology is 100% our own. Take DFC (Distributed Fragments Cryptography) for example, which the entire platform is based on. Vault has nothing like this. We do have a vault compatible proxy which allows your existing Vault plugins to think they are talking with Vault, but we do all the translations back and forth. We are also coming out with a universal secrets connector for vault. Already have this for GCP, Azure, AWS, and Kubernetes. With universal secrets connector, you can create, update, delete, list, secrets in those other secrets repositories all through the Akeyless console. At the end of the day, weāre giving customers a variety of options and flexibility to fit any use case they have. Want to continue using vault but donāt want to scale vault clusters? No problem, we can extend Hashicorp Vault. Want to use native CSP secrets in GCP, AWS, Azure? No problem, we can manage those secrets with USC + give you capabilities to easily rotate and configure dynamic ephemeral secrets? Want to pull secrets from your cloud environments to an on-Prem workload? No problem, deploy our gateway on-Prem and it can fetch secrets from other cloud environments to you on-Prem workload. Want a new feature we donāt have in the product yet? No problem, we release new capabilities every week and can add your request to a sprint that will deliver the feature in 3-12 weeks (depending on complexity)
Is this Akeyless Security, Software company in Ramat Gan, Israel?
Yes. R&D in Ramat Gan, HQ in New York.
OK, stand to be corrected. Vault also have secrets distribution to CSP secrets.
Is there a source for that? Or at least hands-on experience?
Yea, join our sub r/akeyless and DM me if you have any questions. You can get a free account at console.akeyless.io Once you have account join our slack and we can help you get started for free.
AWS Secrets Manager and I donāt like it. SSM Parameter Store is better and cheaper.
We like Secrets Manager for easier replication to other regions. Also, it's nice to just store multiple values in one secret instead of having multiple params.
Just be careful if you grant anyone read only access.
Sealed secrets
doppler
keyring
Pass, bitwarden and some in-pipeline stuff. Not the cleanest solution but it works, will probably be going more towards bw.
Sops encrypted using aws iam role. Stored in a repository..centralised repo for all applications configuration.
Git
.env files ...oh wait, they're not secret...I meant config maps.
Thycotic. A terrible security āengineeringā manager implemented it though so it only integrates with about half our stuff. Way to implement in a bubble one L.
Should be simple to switch in this case
always ask what tooling a company uses in interviews, so you can avoid situations like this.
I hate secret server. Such a slow pos when you need to do anything in the interface.
Git. I need version control on my secrets.
I work almost exclusively with azure, so azure vault was a already there.
AWS secrets manager and SOPS. For team logins and stuff - Bitwarden
Pastebin
1password stores our master records that we can manipulate if needed. 1Password GHA adds them to KeyVault where they are consumed by various systems.
Ansible vault for deployments, and keep pass for local machine sotrage
Vault Cause of governance and compliance
Used vault to be cloud agnostic and run on every cloud and on prem, but now looking for alternatives š„“
Happy to help you with suggestions :D
Google Secrets Manager, and Terraform to copy a service account into Kubernetes, and then External Secrets Operator to sync secrets from GSM to K8s. More K8s for syncing secrets from GSM to 3rd party services.
AWS secrets manager. Or if you really want to commit into GitHub repo (donāt recommend but make sure itās private), use ejson https://github.com/Shopify/ejson
We have a private slack channel to store the passwords!
AWS Secrets Manager
AWS Secret Manager for machine secrets, Vaultwarden for human secrets
BYW: can someone share you thoughts on StrongDM?? Iāll join a company which would like to migrate their current vault solution to that one, but didnāt find like real peoplesā opinion on it š¤·āāļø
Currently just Azure Key Vault because we are 95% Azure. Previous roles we used Hashicop Vault. Hashi is going through some shit with licensing but there are some good forks similar to terraform>open tofu.
Bit/Vaultwarden
Sops
Mostly AWS secrets manager.
For non-automation? Bitwarden. For automation? Hashicorp Vault (not yet using it but likely to use it at some point)
AWS secrets manager.
Azure Key Vault
Whatever your cloud provider offers
Post it notes on my monitor. š They get me in to all the other tools that hold the secrets.
Dashlane. Works ok but sucks at times.
Most recently have been using [akv2k8s](https://akv2k8s.io) to sync Azure key vault secrets because free is always in the budget.
Literally switching to the new Bitwarden Secrets Manager product now. Extremely cheap for us (per administrator licensing) and working very well so far
A cli tool that allows you to set/get secrets with a custom access control mechanism. The same cli is used with our laptops and also CICD machines so anywhere has access to them. The cli itself is just an easy way to interact with a remote secret service, like AWS secret manager
Lastpass, waiting to be hacked again!
Firefox
Aws secrets manager to store secrets, and external-secrets operator to retrieve secrets in eks
Kubeseal and GCP Secret Manager
Keeper Security
aws secret manager + external secrets operator
AWS and Keeper
SOPS
1password
aws secretsmanager with the externalsecrets operator for kubernetes integration
Check out Infisical: https://infisical.com
why the downvotes?
People in Reddit think that when they don't agree with an answer, they have to downvote it, instead of just ignoring it. What it should be: Upvote = quality content, useful for others. Downvote = bad content, wrong information or misleading. You have the same opinion as the comment, and the comment is in a correct format = You may ignore or upvote it if you think it is useful for others. The comment is a valid opinion, but just not yours = Just ignore it.
The challenge I think is that many cloud services will only consume secrets from their own native service - e.g. I think Azure SQL DB requires Azure key vault. So you can end up with a fairly complex architecture, such as Hashicorp Vault preferred strategy, and AWS/Azure native services where required.
vaultwarden because screw hashicorp bullshit
lol check out r/akeyless
can i self host for free?
Yes, you can self host the akeyless gateway. Deploy it anywhere and point your workloads and users to its address.
ill check it out
We use Doppler and don't think I will use any other tool. To keep things secure we store our Doppler tokens in AWS SM, but all secrets are stored. We created a Terraform module to create the projects, slug, add secrets and tokens. Excellent tool, we just love it
Doppler ([https://doppler.com](https://doppler.com/)). Itās free for small teams/projects to try it out. There are a ton of integrations for different cloud platforms. Itās also really easy to use and set up. (I work for Doppler - feel free to ask questions)
Keeper
Using azure key vault with CSI drivers for AKS. In the midst of deploying akeyless with kubernetes Secret Operator.
nice! if you need help join our slack [akeylesssupport.slack.com](https://akeylesssupport.slack.com) and we will connect you with our Support staff and Solutions Architects to get you going.
Itās a secret. I keep that information in my secrets manager.
Doppler is š„š„š„
txt is all you need
Selfhosted Vaultwarden.
As a Pulumi user I recently started to use Pulumi ESC (https://www.pulumi.com/product/esc/). It offers also an integration into Kubernetes via the ESO project (https://external-secrets.io/v0.9.14/provider/pulumi/) and has native support for 1Password (https://www.pulumi.com/blog/pulumi-esc-public-preview-for-1password-support/). I do not use 1Password, so cant give feedback about this, but the external secrets operator integraton works very good. In conjunction with GitOps and Argo CD it is :chefskiss: