undefined | Better HN

0 pointsbrainbag3y ago0 comments

What makes Doppler your favorite out of this list?

0 comments

As a security guy, I'm always worried about secrets living in Env variables because it's an easy place for them to leak. (Many loggers will automatically log env vars, for example.)

That's why many services, like Kubernetes, have moved away from this model by either serving the secrets up in a runtime-mounted file (like /var/secrets.yaml) or by requiring you to make an explicit API call (SecretsManager.readSecret("foo")).

From a security perspective, those paths require a much more difficult exploit like full Remote Code Execution (RCE) in order to leak values.

The downside is that it requires modifying application logic to migrate away from Env vars though. Usually it's pretty easy, but if you have tons of legacy code I'm sure that often presents a challenge.

digianarchist3y ago

Vault supports reading secrets from a file when using Nomad.

j / k navigate · click thread line to collapse

0 comments

freeqaz3y ago

As a security guy, I'm always worried about secrets living in Env variables because it's an easy place for them to leak. (Many loggers will automatically log env vars, for example.)

From a security perspective, those paths require a much more difficult exploit like full Remote Code Execution (RCE) in order to leak values.

digianarchist3y ago

Vault supports reading secrets from a file when using Nomad.

j / k navigate · click thread line to collapse