Selecting a credential with such heavy use will enable your team to catch unexpected events in your services when a rotation occurs. This type of secret was a great candidate due to its intensive use by almost every internal development team. We rotated them once a day during at least a month in our development environment until we were confident enough in our design to release it in production. We first made sure that our systems had the proper APIs and behaviours, then we created a new Lambda function from scratch implementing the AWS Secrets Manager requirements. The samples provided cover the basic use cases and credential types, but let’s be frank about it, every use case is different.Īt Coveo, we started with our internal OAuth2.0 Client Secrets used between our different services. Like I mentioned earlier, even if AWS is kind enough to share with the community some sample functions, make sure that you rewrite them to actually fit your needs, company policies, and guidelines. Battle-Test Your Rotation Lambda Functions Together, these initial design decisions will shorten development time while reducing friction amongst development teams. On our end, our architectural design included a Python project built with the tox automation project and deployed using our in-house deployment pipeline.įurthermore, we added some exception monitoring with Sentry and recorded audit and rotation logs in Kibana. You should instead prepare architecture documents and share it with the different development teams before coming up with a final design. Yes, you can use Lambda functions built and deployed by AWS, but they might not fit your business and developers needs. It’s not.Īutomatic rotation will require one Lambda function per type of secret that you will need to manage, test, deploy, and monitor. The first mistake one could make when diving head first into Secrets Manager is to think that everything is managed by AWS and that implementing the secret rotation is going to be easy and straightforward. The previous quote was stolen from one of Coveo’s security analysts. Vault is not a managed service though, and we felt like we should use a managed service as much as possible to help us scale. To solve this problem, there are multiple approaches.
Each service needs to authenticate with other services. With the shift to cloud-first microservices, the amount of secrets we have to manage exploded. However, this task can easily become overwhelming as we have to rotate them manually. Let’s face it, every company should rotate periodically all their secrets to make sure they respect industry standards regarding security and compliance. One of the big challenges tech companies face today is credentials management.
0 kommentar(er)
