Comparison to Parameter Store?

[0xdabbad00]

credstash was created prior to AWS's Parameter Store. A number of blog posts have come out since Parameter Store was released indicating it is a preferred way of managing secrets on AWS, such as this recent post: https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/

If someone were starting a new project today, would you recommend credstash or Parameter Store? One benefit of credstash is an ability to backup the secrets. Any other considerations?

[nathan-muir]

Not adding an opinion, but it's important to consider the AWS service limits [1] and see if it's fit for purpose.

Key limits affecting AWS parameter store are [1]:

• 10,000 parameters per account
• 4096 chars max per parameter
• 100 past values

Key limits affecting AWS Secrets Manager are [2]:

• 40,000 parameters per account
• 4096 chars max per parameter
• 100 past values

So there's no official rate-limit on requests per second, compared to DynamoDB provisioned reads.

However, the 4096char parameter size (not sure if that's pre or post encryption) could be a pain if storing certificate chains or whole configuration files.

[1] AWS Service Limits for Systems Manager

[2] AWS Service Limits for Secrets Manager

[scottsb]

I imagine an answer here in an issue probably isn't the best location, but if somebody familiar with both of these could add a section about this to the README, that would be great (assuming there is a reason to use this over Parameter Store, such as the limits Nathan mentions).

[artburkart]

To Nathan's comment, the 4096 limit also applies to credstash. I'm pretty sure Parameter Store uses KMS under the hood, which is where that limit comes from.

1. http://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Parameter.html#EC2-Type-Parameter-Value
2. http://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html#API_Encrypt

Additionally, the default limits can be increased for the parameters per account and the maximum history.

[nathan-muir]

@artburkart Incorrect. Credstash uses GenerateDataKey [1], not Encrypt.

The only limitation on size would be imposed by DynamoDB, which is ~400kb [2] (post encryption, minus overheads)

[1] http://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html [2] http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html#limits-items

[artburkart]

@nathan-muir - Oh huh, I feel like I should've realized this since I've definitely stored items slightly longer than 4096 bytes.

[datherra]

As a user of credstash in a former project myself, and needing same solution on a new one, I was about to implement it again, but came across the AWS Secret Manager service[1]. The comparison between credstash and Parameter Store would apply to credstash vs Secret Manager as well? (besides the key auto rotation feature for some databases on Secret Manager)

[1] https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

[valintepes]

Probably not a deal breaker for most enterprise projects, but the cost of secrets manager seems pretty high in comparison to parameter store (pretty sure that's free, except maybe storage). And of course credstash is also free except dynamo db charges and kms cmk charges. It all depends on the kind and number of secrets you are storing.

If you end up storing 1000 secrets for some reason, secrets manager would be $400/month not including api calls. Now, I don't know what features, be it security, usability, or automation, secrets manager brings to the table vs parameter store, so maybe for the use cases that warrant it, it makes sense. But for myself, I feel like if I have a LOT of secrets, I have to look at one of the "freeish" solutions due to the high cost of secrets manager. And yet if I have just a little amount of secrets, I have to look at the freeish solutions anyways because why pay tens of dollars a month on tens of secrets I can easily manage with parameter store or credstash?

If anyone is an expert in these aws secret sharing systems like to chime in that'd be cool.