Ask HN: How do you handle secret management?

4 points by aerovistae ↗ HN
All day I've been struggling with this: if I use a secret management system like Vault or Keywhiz or AWS KMS, I still have to store the credentials for that system in plaintext. So then I feel like I haven't accomplished anything whatsoever. To be honest I don't even understand the purpose of these systems.

What am I missing here?

3 comments

[ 3.2 ms ] story [ 17.9 ms ] thread
If you use an AWS Instance Role that allows you to pull data from AWS Parameter Store, then you don’t have a bootstrap problem.

In this case, AWS knows what your instance is and what it is allowed to do, and so you can access SSM without any other credentials being stored on the system.

But this only works if you’re running your EC2 instance in AWS.