The AWS tagging documentation explicitly tells you not to do this in a scary red box I promise, you want to pay attention when AWS tells you not to do something. It’ll show up in the AWS console, in logs, in billing files, in services like the little known but greatly admired Tag Editor that you almost certainly haven’t scoped access to, and so on.
This is to be avoided! AWS doesn’t consider tagging to be sensitive it’s “metadata” to them, which means they’re going to be treating it with a level of care you probably won’t like. You might also be tempted to do something “clever” like using resource tags within AWS. You could use Route 53 TXT records, which is a fun gag but seriously do not do this even if you like the chaotic energy of misusing a DNS service as a database security by obscurity is a bad plan when it comes to sensitive credentials. I want to store something called “ROOT_PASSWORD” and the value of the secret itself, such as “Kitty!”. At their heart, secrets are fundamentally key/value pairs. There’s a fourth category of using things outside of AWS such as Hashicorp’s excellent Vault product, or another cloud provider’s secret storage service I’m considering things like that out of scope for what I want to talk about today. There are a number of ways to do this with native AWS services, that I will divide into three categories: bullshit, reasonable, and controversial.
#SECRETS MANAGER COST UPDATE#
You want to find a way to maturely and sensibly store those secrets in ways that are centralized (so you don’t have to update every server / container / function whenever one changes), secure (so they remain secret), and accessible (in practice, there’s little difference between a service going down and you losing your credentials to talk to the service). Let’s further assume that you’re not a dangerous lunatic who hardcodes those secrets into your application code.
To communicate between them, your application invariably is going to need to store various credentials in some form usually these are username/password pairs or API keys. Very few applications are entirely self-contained we’ve collectively built an ecosystem that’s intertwined with dependencies between a variety of services and platforms. Let’s say you’re deploying an application onto AWS.
0 kommentar(er)
