Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2017-04-24

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:49 ilbot3 joined #confidant
01:49 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant Channel logs at http://irclog.perlgeek.de/confidant/
03:32 lyftbot joined #confidant
03:38 lyftbot left #confidant
03:38 lyftbot joined #confidant
21:00 patrickod joined #confidant
21:01 * patrickod waves
21:01 patrickod nice write up folks!
22:18 Ryan_Lane patrickod: thanks :)
22:19 patrickod are user ACLs a WIP at the moment? curious to know how Lyft reasons about this internally? (specifically that all users would have read access to the entire secrets list)
22:19 patrickod or do you just restrict the list of users who can OAuth to the service in the first place and sidestep the need for in-app ACLs?
22:40 Ryan_Lane patrickod: we restrict the users who can auth at this point
22:40 patrickod *nod* makes sense :)
22:40 Ryan_Lane but: https://github.com/lyft/confidant/issues/62
22:48 patrickod ah! /me follows.
22:48 patrickod thanks!
23:04 Ryan_Lane patrickod: yw
23:04 Ryan_Lane so..
23:05 Ryan_Lane not totally sure when we're getting to that, for the most part we assume credentials are accessible to anyone with confidant access
23:05 Ryan_Lane we have a special type of credential that's used for highly restricted access
23:05 Ryan_Lane called blind credentials
23:05 Ryan_Lane even the confidant server itself can't read them
23:06 Ryan_Lane they're kind of a pain in the ass to use, so we haven't heavily advertised them
23:07 patrickod aye I noticed that in the documentation. I'm guessing this is used for things such as TLS key material and the like?
23:07 Ryan_Lane yep
23:07 Ryan_Lane it was the exact use-case for this :)
23:07 Ryan_Lane so we could limit access to a credential to a single team (where even the security team couldn't access it)
23:08 Ryan_Lane well, at least not without setting off alarms on escalation of access :D
23:10 patrickod out of curiosity how are the service keys for blinded secrets handled?
23:10 patrickod also +1 to the idea that team-security doesn't have read ability for everything by default. just paints a big ol' target on your back

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary