Ask HN: Secure and simple way for secret/credential management in a startup?

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
AWS aws-credentials aws-creds Cloud credential-manager

SurveyJS
Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
Our great sponsors

  • chamber

    CLI for managing secrets

    • Building on this I’ve found https://github.com/segmentio/chamber to be super useful

  • leapp

    Leapp is the DevTool to access your cloud

    • - For all your employees I can advice you Leapp as open-source project (https://github.com/Noovolari/leapp). It solve mayor of the problem listed here:

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

    SurveyJS logo

  • credstash

    A little utility for managing credentials in the cloud

    • Hello,

    At my current gig we're using doppler[^1] (no affiliation) for application secrets. We're using doppler with their kubernetes operator which supports auto-rotation on secrets. Secrets are set as "env variables". So far, doppler has not suffer big outages or we did not notice, because the operator will keep working even if their API is down - of course you won't get updates. Access control could be more _fine grained_ and they added secret auto-rotation option recently[^2]. We don't use that yet.

    I've been a happy 1Password user (no affiliation) and we use it company wide to share user secrets. 1Password support CI/CD integration IIRC, so in theory should cover most use cases.

    If you can pay for AWS Vault, the terraform integration comes out of the box. However if you're a small team running vault might be a daunting task and you're inserting another SPoF.

    There are many open source application secrets tools that you could check out though. In the past I had great experience with credstash[^3]. Credstash is a really simple and secure open source solution that is based on AWS KMS, IAM and DynamoDB. Costs pennies to run for medium size deployments. Once you setup and document the way to use it, it's really easy. The downside is that as a tool is pretty _raw_ you have to build things like "secret generators", etc. But combined with a slack bot can be a really powerful, secure, open-source solution.

    If you have specific questions about any of the above tools feel free to drop an email. I'll happy to answer questions.

    [^1]: https://www.doppler.com/

    [^2]: Auto-rotation is complicated because you need to integrate the auto-rotation with external tools yourself most of the times. There are Hashi-Vault modules for SQL DBs but not for Mailgun or CloudFlare for example.

    [^3]: https://github.com/fugue/credstash

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts