Discovery around secrets management

[b00klegger]

Out of the available solutions, research different options and identify a recommended solution for a small project. Both financial and administrative costs are a factor here with a preference for simplicity, very low cost and little ongoing maintenance.

Options:

• Vault
• AWS Parameter Store
• AWS Secret Manager
• Synthetic options like credstash
• JSON in S3

[b00klegger]

@RobAWilkinson Can you give me and outline of what secrets are currently collected in the app?

[RobAWilkinson]

@b00klegger it might be better use talking to @kfrz I believe from looking at rails docs there might just need to be 1 magic MASTER KEY that the app uses to decode a file that contains all the things

[kfrz]

@RobAWilkinson @b00klegger @hpjaj

This pr updates the application to use Rails 5.2, which includes encrypted credential management.

More details have been added to the wiki but the gist of it is there's one key that is shared (carefully) between developers and pushed to production, either in an environment variable or direct copy.

Then, all credentials can be added with bin/rails credentials:edit, which is just a .yml file.

[hpjaj]

Thanks Keifer...I'll start looking into this, too.

[kfrz]

@b00klegger when/if we deploy to a service, such as AWS, what is required to define a environment variable? We'll want define RAILS_MASTER_KEY?

[b00klegger]

Can the key be defined in the start up of the app? What I'm thinking is storing this in something like AWS Param Store with KMS and a role on the instance/container to control access to the value. The app then uses the aws sdk to call the service and import the key.

[RobAWilkinson]

Yeah I think that would work perfect, then we just pass as an env variable when starting the docker container