Adopt pw manager/vault for managing services and logins

edgi-govdata-archiving / overview

🎈 Start here for current projects, how to get involved, and joining community calls, a resource for new and veteran members

GNU General Public License v3.0

118 stars 20 forks source link

Adopt pw manager/vault for managing services and logins #134

Closed dcwalk closed 7 years ago

dcwalk commented 7 years ago

We have a growing number of services with a few cases that require shared logins or secrets. This is a tracking issue for an ongoing conversation in #handling_keys on EDGI slack.

@dcwalk's summary of issue:

We have accts that we need to share credentials between a small group of people

We need a better way to coordinate sharing of keys and sensitive details between individuals

We are getting to the point where we will need to better document deployment or other semi-sensitive details within a small group of developers

Organizational context is one where we shouldn’t count on regular sysadmin support (e.g. maintaining our own servers for docs or cred management)

dcwalk commented 7 years ago

We have a trail for LastPass. @patcon and @titaniumbones what are your thoughts after testing it out there past few days?

patcon commented 7 years ago

I feel like lastpass is working for us, but mostly because of that Dropbox Paper "Services & Deployment" doc, since it tells me who to ask for a lastpass share. (I hope this access list to be more open eventually.)

My understanding is that we're still not using an enterprise features, right?

patcon commented 7 years ago

Perhaps if we're no longer feeling any tensions related to that aspect of password sharing, we could consider closing this out? (then again, maybe we should ask a newly onboarded person about this, as I've long-since gotten the access i needed :) )

dcwalk commented 7 years ago

I think we want to check in with @danielballan and @Mr0grog (maybe at the call today?) as there was an original need that this came out of which feels unfulfilled to me

Mr0grog commented 7 years ago

Hmmm, I should probably transition the Postmark stuff to an account under EDGI’s name and give you credentials for it.

With our stuff at Heroku, AWS, and Google Cloud, we can manage access via normal access controls for those platforms, so we don’t need a shared vault for them.

I don’t think there are any other third party accounts currently used by web-monitoring infrastructure right now.

dcwalk commented 7 years ago

Hey @danielballan do you have any thoughts? The takeaway from Monday's call is that we might just work to verify who has access and do some consolidation/regigging of admin accts (Heroku being the big one it seems) but that otherwise things are okay to sit for a month at least before revisiting.

Is there a use case we are not handling at the moment? I think a bunch of the deployment details haven't been documented.

danielballan commented 7 years ago

Yes, I think that's a good way to proceed. The deployment details still change almost weekly. While they'll never be "done," I think they will be more stable once Version 0 is out the door and at that point we should take stock and document.

dcwalk commented 7 years ago

Okay, I'm closing this because we've adopted a pw manager. We can ticket out the other issues!