Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2016-08-08

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:48 ilbot3 joined #confidant
01:48 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant Channel logs at http://irclog.perlgeek.de/confidant/
04:33 lyftbot [idris] Trying to setup some services to use credentials from confidant, borrowing ideas from Ryan Lane above... would love thoughts on my plans below:
04:33 lyftbot I'm thinking of setting up a `confidant-client` docker container that basically pings the confidant API and stores the result in a JSON file.  In a docker-compose, I'll run the `confidant-client` as a dependency of my main container (webapp in this case), mounted in a tmpfs ramdisk.
04:33 lyftbot On startup of my webapp container, it'll grab the credentials from the ramdisk.
04:55 lyftbot [idris] 2 main questions:
04:55 lyftbot 1) does this make sense
04:55 lyftbot 2) is it bad to have those secrets sitting around in a json file?
05:23 Ryan_Lane Hey Idris
05:23 Ryan_Lane It's pretty late for my timezone but I'll try to answer really quick :)
05:24 lyftbot [idris] on a sunday, too :)
05:24 Ryan_Lane This is a good approach
05:24 Ryan_Lane I'm in a lyft on the way home :)
05:24 Ryan_Lane No matter what your secrets will be in memory unencrypted somewhere
05:25 Ryan_Lane A tmpfs is good as long as you ensure to be careful of filesystem access vulnerabilities
05:26 lyftbot [idris] I mean I suppose I could delete the JSON from tmpfs once the app starts up and has everything in memory
05:26 Ryan_Lane This is roughly the approach we take. In the future were going to inject the secrets into containers on launch, but caching is important
05:26 lyftbot [idris] as you said, it's still in memory.. but at least not accessible through the filesystem
05:27 Ryan_Lane Unless you want to put confidant in your critical path for service restarts
05:28 lyftbot [idris] ah interesting.. that's the reason not to delete it from tmpfs.. restarts
05:29 Ryan_Lane Yep
05:30 Ryan_Lane It's still in your critical path for instance start (which also means scaling) but that's a lot simpler to handle
05:30 lyftbot [idris] cool, well thanks for the validation. if i get this working i'll buy you a coffee or something :)
05:30 lyftbot if it works, i'll try to open source the docker config and post here
05:30 Ryan_Lane Putting confidant behind an elb and ensuring you have enough nodes and dynamo capacity make it easy to handle that case
05:30 Ryan_Lane Awesome. Thanks!
05:31 Ryan_Lane Let me know if you have any more questions
08:20 doy joined #confidant
13:03 lyftbot left #confidant
13:03 lyftbot joined #confidant
13:09 lyftbot left #confidant
13:10 lyftbot joined #confidant
18:51 wm-bot joined #confidant
18:51 abrody joined #confidant
19:22 Ryan_Lane joined #confidant
19:47 abrody joined #confidant
22:47 lyftbot [idris] What naming conventions do you all use for credential names, credential pairs, and service names

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary