
Ask HN: Strategy for handling user-managed 3rd party secrets for SaaS App? - sbr464
I&#x27;m looking for current best practices&#x2F;recommendations for how to properly store, access, and manage credentials (tokens, certificates, keys etc) when they are provided by an end-user to our app.<p>This is mainly in context of a multi-tenant SaaS app. I realize providing secrets to a 3rd party causes most people to shudder, but this could apply to a dedicated or on-premises version of our app, where users still have the ability to manage custom connections via the UI.<p>This is different than managing the secrets for our own internal infrastructure.<p>The scenario when this issue comes up is when you provide users the ability (via a frontend UI etc) to manage:<p>1. Custom API Connections<p>2. Custom Database connections<p>3. Managing custom hosting&#x2F;server settings<p>Example use case:<p>User uses our app to view data from a database they own and manage.<p>1. An admin type user adds connection info&#x2F;credentials via a settings page in our app.<p>2. We store those settings permanently.<p>3. The admin (using our UI) adds authorization rules for other users in our app (within their tenant&#x2F;company).<p>4. These users access our app to view data from their db.<p>5. Our backend service receives the request, retrieves&#x2F;caches their tenant db settings, connects to their db, retrieves data.<p>Although this case is for a database, it could be for a GraphQL&#x2F;REST Api service also.<p>The Issue:<p>Everyone know&#x27;s not to store passwords in plain text, but these are basically passwords. The difference is that our backend needs to be able to read and use them. They need to be managed and stored in a scalable way since they are managed by the end-user.<p>We have a few strategies in mind but are looking for the most current recommendations.<p>Most of our infrastructure is using Kubernetes and Compute Engine on Google Cloud.<p>edit: formatting
======
mjhea0
[https://www.vaultproject.io/](https://www.vaultproject.io/)

