Ask HN: Best way to manage API secrets and other secrets in teams

4 points by desmap ↗ HN
Searched a bit around but didn't find a clear answer to this:

API and other secrets/credentials shouldn't be on source control and .gitignored. Still they need to be backed up, shared to team members, updated, etc.

What's the best way to do this (just for server-side apps) without using any paid 3rd party product?

5 comments

[ 3.1 ms ] story [ 19.9 ms ] thread
It depends greatly on how your server-side works. For example, if you are on AWS, you can use KMS. If you run Kubernetes or Docker Swarm, they have their own secret storage systems.

In the very small teams, you can do something as simple as Google Doc or Last Pass shared notes, and install the keys manually as needed. In this case, your code would be looking for secrets at a pre-defined location, like ~/.your-company-name/secrets, and secrets would me manually copied there.

you could take a look at hashicorp vault as a tool to deliver secrets to your server side apps

for sharing secrets with your team i would go with password manager. bitwarden.com if you are looking for a open source one.

keybase.io with team chat, kbfs and encrypted git repos.
As others mentioned, there's a variety of products to handle these by now for corporations and startups.

I'm actually more interested in the same question but for personal projects where you don't want to pay or pay no more than say $1/mo. Is there a solution for that?

Maybe a hashicorp consul self-hosted? A lot of work to set up for personal project but maybe worth it to do one time?

(comment deleted)