chamber VS credstash

Chamber takes an opinionated view on AWS Parameter store as compared to ssmsh

Building on this I’ve found https://github.com/segmentio/chamber to be super useful

For secrets, the PaaS platform (Github Actions, Fly.io, etc.) I usually use has a method that works with environment variables. If I need something custom on AWS, then I use Chamber backed by AWS KMS.

We use Chamber (https://github.com/segmentio/chamber) to do this for us. Bring it into your image and use the environment variables as necessary. Some applications support using environment variables natively, you might need to add a script to write them into your config files.

You can take a look at some code I wrote a while back to do this if you want examples https://github.com/segmentio/chamber/blob/master/store/ssmstore.go .

We use AWS Parameter Store and segmentio/chamber.

https://github.com/segmentio/chamber is nice with parameter store, ive used it in the past.

Use Chamber.

For interacting with SSM, I would recommend using https://github.com/segmentio/chamber. You could add something to your user-data script that uses chamber to load a config file (chamber export is one way to do it) from SSM on startup. You could also use Systems Manager to enable you to do a "hot reload" of sorts by sending a command to your server to run the chamber command and restart your application.

Hello,

At my current gig we're using doppler[^1] (no affiliation) for application secrets. We're using doppler with their kubernetes operator which supports auto-rotation on secrets. Secrets are set as "env variables". So far, doppler has not suffer big outages or we did not notice, because the operator will keep working even if their API is down - of course you won't get updates. Access control could be more _fine grained_ and they added secret auto-rotation option recently[^2]. We don't use that yet.

I've been a happy 1Password user (no affiliation) and we use it company wide to share user secrets. 1Password support CI/CD integration IIRC, so in theory should cover most use cases.

If you can pay for AWS Vault, the terraform integration comes out of the box. However if you're a small team running vault might be a daunting task and you're inserting another SPoF.

There are many open source application secrets tools that you could check out though. In the past I had great experience with credstash[^3]. Credstash is a really simple and secure open source solution that is based on AWS KMS, IAM and DynamoDB. Costs pennies to run for medium size deployments. Once you setup and document the way to use it, it's really easy. The downside is that as a tool is pretty _raw_ you have to build things like "secret generators", etc. But combined with a slack bot can be a really powerful, secure, open-source solution.

If you have specific questions about any of the above tools feel free to drop an email. I'll happy to answer questions.

[^1]: https://www.doppler.com/

[^2]: Auto-rotation is complicated because you need to integrate the auto-rotation with external tools yourself most of the times. There are Hashi-Vault modules for SQL DBs but not for Mailgun or CloudFlare for example.

[^3]: https://github.com/fugue/credstash

Hi, credstash dev here. I think the issue is with your shell not with credstash. You need to pass in an actual newline character into the argument if you want to store a newline.

Link to Credstash if you're curious: https://github.com/fugue/credstash