Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2016-03-28

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:48 ilbot3 joined #confidant
01:48 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant Channel logs at http://irclog.perlgeek.de/confidant/
16:53 wm-bot GitHub [lyft/confidant] new issue by AndreyKrasnov: Setting up OAuth 2.0 https://github.com/lyft/confidant/issues/54
17:24 abrody @Ryan_Lane do you have a roadmap for storing Confidant's own config secrets in Confidant?
17:24 Ryan_Lane hm. did I add a github issue for that?
17:25 Ryan_Lane I've been meaning to do that for the last few sprints
17:26 abrody looking at whether to do my own thing in S3+KMS for the time being
17:26 abrody or maybe even use Sneaker?
17:26 Ryan_Lane heh. using a secret management system for management of the secrets of a secret management system? :)
17:27 Ryan_Lane what I was planning was to have an environment var (or config file) that would be loaded if detected, which would be decrypted using confidant's at-rest key
17:28 abrody yeah that would be great
17:28 Ryan_Lane and that would be a json string
17:29 Ryan_Lane then the idea would be you could install confidant without the web interface working
17:29 Ryan_Lane and you could run a script to get back the json blob needed for those secrets
17:29 Ryan_Lane the only secrets for confidant itself are related to the web interface
17:29 abrody right right, got it
17:36 Ryan_Lane abrody: I just put this onto my sprint for this week :)
17:36 abrody \o/
17:42 woodrow abrody: for bootstrapping, do you think there’s a world in which confidant can/should manage its own secrets? or do you think they should be out-of-band?
17:42 woodrow er, after bootstrapping
17:42 woodrow for bootstrapping you’d obviously need to run a script or something
17:42 abrody I don't have any preference there
17:43 woodrow in the case of SAML secrets, you’d probably need to do some kind of multi-stage boostrapping if you were going to do it with the web
17:43 woodrow which might be weird?
17:44 abrody yeah I guess you'd start up the webface with auth disabled, then add your SAML stuff, then enable it
17:44 woodrow like bootstrap session secret/etc. => get it up and running enough to dump in SAML secrets => enable SAML?
17:48 wm-bot GitHub [lyft/confidant] new issue by ryan-lane: Bootstrap Confidant's secrets https://github.com/lyft/confidant/issues/55
17:50 Ryan_Lane woodrow: thought about this some more. it's a bit difficult because it's a chicken/egg problem in the code
17:50 Ryan_Lane unless we access dynamo directly using boto
17:50 Ryan_Lane because pynamo requires the app to be loaded, which requires settings.py
17:51 Ryan_Lane I like the idea of a self-configuring confidant, but it'll require a refactor
17:51 Ryan_Lane too much of that in 1.1, so we should target 1.2 with that if we want it then
17:52 woodrow and the interim solution would be an encrypted file?
17:52 Ryan_Lane yeah
17:53 Ryan_Lane which can either just be a file or a blob in the environment
17:53 Ryan_Lane I can make it kind of self-contained, so that in the future that blob can come from dynamo
17:53 Ryan_Lane then you'd have the choice of self-configure or from a file

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary