undefined | Better HN

0 pointseropple8y ago0 comments

If you're not using AWS, the use of Parameter Store (or Credstash) becomes a turtles problem--because you need to provision AWS credentials. At that point, whatever you provisioned AWS credentials into might as well store your other secrets, too.

If you are using AWS, EC2 itself is a trusted third party that grants the appropriate permissions for your executing system (container, instance, whatever).

0 comments

ejcx8y ago

While this is true, it's something you can work with in the future, and it defined a secrets process earlier rather than later

If you do nothing you end up stuck with secrets in git history and you essentially have to roll them all.

So, my advice is generally SSM with no security is better than no secrets Management solution.

eroppleOP8y ago

If you do nothing, you end up with secrets manually provisioned by logging into a machine and splatting out a configuration file. Which is a more secure solution than a turtles-problem parameter store.

ejcx8y ago

You're assuming readers are managing snowflake servers, and I'm assuming they are in an containerized/autoscaling/more modern environment.

SSM wins for mine. I think you're right that the file approach wins for yours.

1 more reply

j / k navigate · click thread line to collapse

0 pointseropple8y ago0 comments

If you are using AWS, EC2 itself is a trusted third party that grants the appropriate permissions for your executing system (container, instance, whatever).

0 comments

ejcx8y ago

While this is true, it's something you can work with in the future, and it defined a secrets process earlier rather than later

If you do nothing you end up stuck with secrets in git history and you essentially have to roll them all.

So, my advice is generally SSM with no security is better than no secrets Management solution.

eroppleOP8y ago

ejcx8y ago

You're assuming readers are managing snowflake servers, and I'm assuming they are in an containerized/autoscaling/more modern environment.

SSM wins for mine. I think you're right that the file approach wins for yours.

1 more reply

j / k navigate · click thread line to collapse