We use YAML for configuration of many things - Concourse pipelines, BOSH deployments, Cloud Foundry applications, and more. And we continually want to be more secure with how we handle our secrets.
Two tools can be used together to help:
To quickly see them in action, run Vault in local dev mode (in-memory, http only, unsealed).
$ vault server -dev
[editor: of course, you wouldn't run vault in
-dev mode in production]
In another window, pretend to store your master AWS secrets into your Vault:
$ export VAULT_ADDR=http://127.0.0.1:8200 $ vault write secret/aws/starkandwayne access=XXX secret=YYY Success! Data written to: secret/aws/starkandwayne
To confirm that there is both
secret keys stored in Vault:
$ vault read secret/aws/starkandwayne Key Value --- ----- refresh_interval 2592000 access XXX secret YYY
Now create your publicly publishable YAML config file, that references your vault path:
--- s3: aws: access_key: (( vault "secret/aws/starkandwayne:access" )) secret_key: (( vault "secret/aws/starkandwayne:secret" ))
This configuration file can now be included in OSS/public repositories because the secrets are stored in Vault.
Only you (or your team that has access to a Vault with the same keys) can now merge in the values with
$ spruce merge base.yml
The output will include the secrets:
s3: aws: access_key: XXX secret_key: YYY
Learn more about Vault, Spruce and how we're using them with https://www.starkandwayne.com/blog/standing-up-vault-using-genesis/