Hacker News new | ask | show | jobs
by zeveb 3941 days ago
> Don't ever check access keys into any repo, public, private or even self-hosted.

So, how do you propose to handle version control of your exact production configuration? Do you think that recording one's production configuration is a valuable (or even useful) technique? Do you propose to have a single file with production configuration relying only on point-in-time backups for history? That gets us back to the bad old days…

A local or self-hosted repo is 'a local location that's accessible only to youation that's accessible only to you.'
2 comments
curun1r 3941 days ago
> So, how do you propose to handle version control of your exact production configuration?

Version control is perfectly acceptable for that, but the key point is that access keys aren’t part of your production configuration. I personally don’t allow my team to have long-lived AWS access keys that have access to production. Production is only changed via an assumed role requiring MFA or an IAM instance role.

If this kind of setup is too complex to create on your own, solutions like Vault (https://vaultproject.io) can make it much easier to get right.

link
zeveb 3940 days ago
> Version control is perfectly acceptable for that, but the key point is that access keys aren’t part of your production configuration.

Why not? If your production configuration is stored as static-file in version control, then either those credentials have to live in that version control, or they have to live outside it, as a separately-backed up file of configuration variables, which are then fed to a static-file-generating tool, which means a) that one has to select a templating system and maintain those separate templates and b) that there's another step involved in developing the prototypes for those templates. This isn't a bad course of action, of course, but it does have its costs (just like storing production configuration—including credentials—in version control has its costs as well as its benefits).

> I personally don’t allow my team to have long-lived AWS access keys that have access to production.

Of course! Developers shouldn't have access to production systems, period. But operators can, and must, and I've no problem with them having access to their own version-controlled repository of information that no other team can access.

> Production is only changed via an assumed role requiring MFA or an IAM instance role.

Of course! I'm certainly not arguing for personal credentials to be stored in an operations repo.

link
nathancahill 3941 days ago
I use Ansible Vault if it's imperative to store keys in a repo, and I've been really happy with it. StackExchange has something similar called Blackbox[0]. I remember reading about a Ruby gem too, but I can't find it now.

[0] https://github.com/StackExchange/blackbox

link
zeveb 3940 days ago
> https://github.com/StackExchange/blackbox

That looks pretty cool, at least at first. I'll have to take a deeper dive into it.

I like that it looks to be all shell scripts. Wish it were sh rather than bash, but c'est la vie.

link