...
The following secret types are to be supported:
| Secret type | FormatNotes | Who creates? | Who accesses? | How does it work now? | Additional notes | |||
|---|---|---|---|---|---|---|---|---|
| login & password | String | runtime + at start; per tenant | API key | String |
|
| dif modules use their own storages for that | |
| API key | String |
|
| dif modules use their own storages for that | ||||
| token | String |
|
| |||||
| SSL certificate | file |
|
| Cannot be stored in SSM, Vault etc. Encrypted S3? |
Who creates? Who should have access? How does it work now?
Secret stores
...
The following secret stores are to be supported:
| Secret store mechanism | Links | Environments or needs |
|---|---|---|
| HarshiCorp Vault | https://www.vaultproject.io/ | on-premises installations |
| AWS Systems Manager Parameter Store ( or just AWS SSM) | https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html | AWS cloud hosting |
| properties-file | for dev/test needs | |
| environment variables |  | |
K8S secrets | |
Secrets management UI
...
Home-grown unified web UI vs. store-specific UIs
Both AWS SSM and Vault have their own management user interfaces, Rancher provides an option to manage secrets in form of environment variables in UI forms.
...
- check AWS ssm:GetParameters permission - it is the policy used to enforce access control and protect one service’s secrets from another (here is a good overview of this process https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/)
- on in Vault an access can be managed via roles, tokens etc. (https://www.vaultproject.io/docs/auth)
...