Secrets, Secrets, & Secrets

[rawkode]

Ok. Secrets chat.

While I like SOPs, it presents some challenges. Old values are always present in Git history, meaning people with revoked access still have some access to secrets; this make rotation paramount.

While not a deal breaker, it's hard to build that rotation into automation.

If we use Google Cloud Secrets, we don't store encrypted values in Git and we get pubsub notifications when a secret expires or changes; including access changes.

We could also do this with AWS, which has one advantage in that we can batch fetch secrets; but secret rotation requires a Lambda handler rather than pubsub. Of course our handler could be to publish an event to Restate

I don't know what the answer is yet.

I just know we need:

• Secrets Storage
• Attribute Based Access
• Ability to rotate on "world change"

For these reasons, I'm ruling out Infisical and SOPs

So my initial thoughts are:

• Secrets added to Secrets Manager (AWS or GCP)
• Terraform in repo to add users and role access based on attributes
• Restate powered secret rotation

I'm also inclined to use AWS or GCP for OIDC access via GitHub Actions