Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A lot of modern cloud deployments read from a secret management system or vault at deployment time, and the secrets are made accessible to the application through various indirect methods so they cannot be accessed later on (i.e. if someone were to gain access to a running Kubernetes container).

At no point does the application have access to the vault itself, and access to read the vault is guarded by IAM role permissions.



Oh well, I really appreciate you taking the time to explain it. But honestly, I didn't understand a word. I recognize it is my lack of knowledge.

I hope someone can do me a ELI5.


Something else pulls from the vault and exposes it as a regular env var to your process. The .env file is a workaround to get this running locally! For open source, the simplest to explain is using a k8s secret mounted to a pod — pod identity allows access to the secret via rbac, which cannot be faked. Only that pod has access to that secret. But your process, running on the pod, sees it as an env var.


That doesn't cover what the GP was talking about with

> (i.e. if someone were to gain access to a running Kubernetes container)

right? Since those would still be secrets available in the env.

I get that if someone has access to read your envvars, its a foregone conclusion already (about how compromised you are).

However IIUC, the part of the point of doing things in memory with reading secrets (like with a Secrets Manager, is to eliminate having to keep secrets around as envvars/secret files in the runtime?


If they can snoop on env vars of a running pod, it can snoop on the process. A k8s secret could be a file in the pod or a env var in the process, but neither are a persistent file distributed to developers


You were on the right path when you called a vault “one more layer of redirection.” A vault on its own won’t dramatically improve your security posture. Neither will a .env file.

Instead, they both beat the alternative (which is writing secrets and environmental config directly in the source code). And they’re both part of defending in depth.

Defense in depth is hard to explain to a five year old, so think of candy. You’re five and you’re obsessed with candy. If I don’t want you to eat pounds of it every single day, I’ll likely do different things to stop you.

1.) I’ll give you a reasonable amount of candy.

2.) I’ll explain that if you eat too much candy, you’ll face health consequences like tooth decay or childhood obesity.

3.) I’ll put the candy somewhere both out of sight and out of reach.

Software security is like that too. Instead of relying upon just one method, you’ll do a number of different things. On their own, few of them are really very useful. But when you combine them all together, you can end up with a reasonably secure system.

In the case of vaults, it’s just a slightly safer tradeoff with its own problems. We’ve already established that it’s bad to write secrets and environmental configuration info in source code. One way around that is to put secrets in a .env file but then distributing that file becomes the weak link. Maybe you Slack them around, or email them or maybe you write all the secrets on a whiteboard in your office? A vault has a lot of flaws, but it’s better than writing them on a whiteboard. In some threat models, it’s better than Slack or email.

It adds depth but it’s far from perfect.


During deployment, the pipeline connects to the Vault, dumps relevant secrets in a .env file that it pushes to production systems that the application then reads from.


A script fetches values from a database then sticks them in a file. This script runs before the your application starts so the file will be there waiting.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: