[klalle]

while i agree that storing api keys in the code repository is not the best idea, i am curious about the suggestion of moving it into chef configs.

wouldnt that, in turn, also be stored in a code repository, likely accessible in the same way as the main coe repo? then, this feels like a non-solution to me.

[Rapzid]

Its a trap thinking you have to store all the config info in Chef(recipes, data bags, etc). Its easy to call out to other services for config info to render templates with.

Mreinsch's s3 reco is a good example. I use this method for storing extra role secrets for AWS.

It's good to keep in mind the words Morpheus when dealing with Chef(and all this stuff really). Free your mind.

[kgilpin]

Yes you're right. Operations teams then find that they have to lock down their Chef / Puppet master much more tightly than before. In so doing, they make these systems harder for developers to work with, and they introduce additional work and overhead for themselves (servicing secrets-related tickets).

[mreinsch]

The permissions on our chef repository are different. We can give access to the main code repository without giving access to the chef repository.

Alternatively, if you're running on AWS you could also fetch the secrets config file from an S3 bucket which is only accessible by your production servers.