HashiCorp and Google: easing secret and infrastructure management

What do people here use to store and source-control secrets&#x2F;almost-secrets and make them available to (pick n) terraform&#x2F;ansible&#x2F;salt&#x2F;chef&#x2F;...?<p>I&#x27;ve heard a lot of good things of Hashicorp Vault (<a href="https:&#x2F;&#x2F;www.vaultproject.io" rel="nofollow">https:&#x2F;&#x2F;www.vaultproject.io</a>) but been hesitant to go with it.

All of the major clouds already have good secrets management built in. We have a simple library that uses Google&#x27;s Key Management Service in a standalone project to encrypt&#x2F;decrypt files held in a private storage bucket. Access to keys and files are controlled by service account roles. Seamless, efficient, no-ops model with built-in auditing and fine-grained control that works everywhere.

Anything secret involves a master key. If you don&#x27;t trust AWS, then you need to supply your own master key. But for most setup, IMO, you should just let AWS handle the key management, and you use role to decrypt. Rotation is a big deal though. For server, SSH key can be encrypted in KMS and we either completely replace the box, or we rotate one box at a time. For DB servers, it&#x27;s important to choose a DB that can stream data to a new box with as little impact as possible (or allows replication). But these takes time to develop (I can&#x27;t use container to host DB or critical applications because the network performance, at least a year ago).<p>BTW Mozilla&#x27;s sops [1] is quite interesting. I&#x27;ve been testing this for a while now.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;sops" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;sops</a>

The AWS EC2 Systems Manager Service and the Parameter store: <a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;ec2&#x2F;systems-manager&#x2F;parameter-store&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;ec2&#x2F;systems-manager&#x2F;parameter-store&#x2F;</a> is a great way to store secrets with integrated encryption provided by KMS.

It&#x27;s not really clear for me from the docs. But can you now use kubernetes secrets to not be stored in etcd but in vault? Or is just the token retrieval part fixed? The docs are a bit terse and don&#x27;t mention much stuff on how you&#x27;d actually use it.<p>If I create a kubernetes secret will it be stored in vault if I set some magic switch? Or are we not there yet?

I worry a lot about how these megacorps will treat &quot;collaborators&quot; vs &quot;non collaborators&quot; in the coming years. Obviously you can&#x27;t just outright buy everyone, but they seem to be increasingly abusive towards technologies and teams that aren&#x27;t on board with their interests and ideology.<p>Actually I&#x27;m more worried about how Facebook and Amazon treat non compliance, but Google sure seems to be getting shadier every day.<p>This combined with the W3C evolving into a corrupt entity just makes me want to get out of tech completely. Maybe if I could get some awesome dev job at the EFF?