Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
hassh
HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a small MD5 fingerprint.
-
-
aws-codebuild-docker-images
Official AWS CodeBuild repository for managed Docker images http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Note that dumping the Vault's process memory is beyond hashicorp/Vault's threat model. See: https://github.com/hashicorp/vault/issues/1446#issuecomment-...
I'm bringing this up because the circleCI blogpost says that the attacker did memory-dump encryption keys from a running process. See https://circleci.com/blog/jan-4-2023-incident-report/
So even if they were using hashicorp/vault, the attacker could probably still have been able to mem-dump vault's process.
It's very easy to run your own GitLab-Runner (their open-source CI: https://docs.gitlab.com/runner/) on your server (or any cloud).
Set up within seconds using a few lines of cloud-init: https://gitlab.com/21analytics/gitlab-runner-cloud-init
Most of the time, it's also cheaper and maintenance is close to zero.
Disclaimer: I work for AWS in Professional Services. All opinions are my own.
The beauty about CodeBuild is that there is no “lock-in”. All it is fundamentally is a Linux or Windows Docker container with popular language runtimes and a shell script that processes a yaml file or you can supply your own Docker container.
You just put a bunch of bash commands or PowerShell commands in the yaml file and it runs anything.
The Docker container and the shell scripts are all open source and you can quite easily run them locally.
I could see outside of AWS keeping your Docker containers for your specific build environments in a local repository and doing all of your builds inside them using Jenkins.
https://github.com/aws/aws-codebuild-docker-images
https://docs.aws.amazon.com/codebuild/latest/userguide/use-c...
For a “batteries included” approach though, I really like Azure DevOps Pipelines.
I’ve even done a couple of integrations between Azure DevOps and AWS when we had clients that are Microsoft shops.
https://aws.amazon.com/vsts/
For AWS, if you use CodeCommit (AWS git service), all access is via IAM and granular permissions. If you integrate with Azure DevOps, the AWS credentials do have to be stored in a separate MS hosted credential storage.
CodeBuild also supports at least Github natively.
I’m not shilling for AWS. I have an MS development background (.Net) and only have “DevOps” experience using AWS and Microsoft tooling.
Related posts
- Terraform & HashiCorp Vault Integration: Seamless Secrets Management
- Keep it cool and secure: do's and don'ts for managing Web App secrets
- Kubernetes Secret Management
- AWS Secrets Manager for on-premise and other cloud accounts scaled architecture
- What are some basics that a lot of Sysadmins/IT teams miss?