
Ask HN: How do you handle secret management? - aerovistae
All day I&#x27;ve been struggling with this: if I use a secret management system like Vault or Keywhiz or AWS KMS, I still have to store the credentials for that system in plaintext. So then I feel like I haven&#x27;t accomplished anything whatsoever. To be honest I don&#x27;t even understand the purpose of these systems.<p>What am I missing here?
======
bradknowles
If you use an AWS Instance Role that allows you to pull data from AWS
Parameter Store, then you don’t have a bootstrap problem.

In this case, AWS knows what your instance is and what it is allowed to do,
and so you can access SSM without any other credentials being stored on the
system.

But this only works if you’re running your EC2 instance in AWS.

------
paktek123
Not sure I understand your use case but does this help?

[https://github.com/mozilla/sops](https://github.com/mozilla/sops)

~~~
aerovistae
My use case is just encrypting some database credentials instead of storing
them as plaintext environment variables.

