[mosburger]

Hmmph. I just found a bunch of free AWS keys by searching for amazon.yml, too.

What is the best way to share things like API keys among a team of developers, anyway? I'm surprised this hasn't been solved already (perhaps it has and I just don't know about it). I know you can share passwords with tools like LastPass and 1Password, and I suppose you could use those for API keys as well?

It'd be nice if you could, e.g., include a gem in a Rails project, get a single key/password/token from one of the team members on that project, and use that w/ a third party API to set all the requisite API keys for all the third party services used on a project. You could also rotate the master password when team members leave the group.

[Nacraile]

FWIW, Amazon proactively scans GitHub for AWS key leaks, notifies the account holder, and flags the account (they will disable the account if they start seeing active abuse and can't get in touch with the actual owner to get keys rotated). So any keys you find are going to get invalidated in short order.

They're also pretty good about forgiving the charges for the fraudulent use.

> What is the best way to share things like API keys among a team of developers, anyway? I'm surprised this hasn't been solved already (perhaps it has and I just don't know about it). I know you can share passwords with tools like LastPass and 1Password, and I suppose you could use those for API keys as well?

Here, we have an IAM account for each dev. Permissions are basically read anything except a few sensitive things (billing, IAM), plus the write permissions we need as operators. We each have our own console login password, and keep our own access keys locally. It's pretty easy to add/remove accounts for new/departing devs, and the potential to individualize permissions is there.

[Couto]

I'm not sure if there are other ways, better or not... but blackbox[1] can be used to store secrets.

And it might be possible to achieve some success with git filters[2], at least to avoid pushing secrets into the repository.

Still... just my two cents, I'm not exactly a pro-user of those two features

[1](https://github.com/StackExchange/blackbox)

[2](https://stackoverflow.com/questions/6557467/can-git-ignore-a...)

[michaelmior]

If you decide to take the git filters approach, git-crypt[0] is a good choice.

[0] https://github.com/AGWA/git-crypt

[tg3]

I worked on a project called Spore (http://spore.sh) to do this with a command-line tool. It works fairly well, although I've had a hard time communicating how it works to folks.

[adelevie]

I like https://fugacio.us/ a lot.

[admiun]

Like passwords, sharing API keys is usually a bad thing. For some sites it is overkill or simply not possible but for something like AWS there is no excuse not to make individual IAM users with their own passwords and keys.

[idunno246]

for AWS...dont use access tokens/secrets, and just use instance profiles(theres a few mock metadata service projects). For other things, theres a bunch of services like hashicorp's vault or amazon kms that store passwords. kms + instance roles gets you fairly close, but its not really friendly to set up