
Biscuit: a multi-region key value store for your AWS infrastructure secrets - ptest1
https://github.com/dcoker/biscuit
======
technologia
The project is nice, but I'm gonna have to stick with Vault as I like the
flexibility of storage backends and not locked into AWS for enterprise-y apps
that can't go to AWS.

~~~
techie128
How does Vault verify the identity of the host requesting access to the
credentials? I didn't find anything in the documentation that would give me
information pertaining to that.

~~~
elliotanderson
You can use the new AWS-EC2 auth backend in Vault 0.6

[https://www.vaultproject.io/docs/auth/aws-
ec2.html](https://www.vaultproject.io/docs/auth/aws-ec2.html)

~~~
otterley
That backend is very nascent, so don't oversell it. It currently is AMI
dependent, making it next to useless for a lot of teams.

------
amhoab
This is also similiar to Sneaker
([https://github.com/codahale/sneaker](https://github.com/codahale/sneaker)),
which is written in Go. It doesn't copy to other regions by default, but it's
not hard to handle that on your own. This also uses KMS, but stores encrypted
secrets in S3.

------
carrja99
I prefer credstash
([https://github.com/fugue/credstash](https://github.com/fugue/credstash))
which uses KMS and stores encrypted values in dynamodb. It has built in
ansible support via lookups too!

------
thatrascaltiger
It looks like this is fairly similar to Mozilla sops[1].

[1][https://github.com/mozilla/sops](https://github.com/mozilla/sops)

~~~
coredog64
I read the documentation but can't determine if sops supports credentials via
IAM roles. Can anyone with experience chime in?

~~~
thatrascaltiger
It does -
[https://github.com/mozilla/sops/blob/master/sops/__init__.py...](https://github.com/mozilla/sops/blob/master/sops/__init__.py#L1127)

------
hendry
At work we use chef to deploy our credentials via KML flat files on the
servers that require them. Works rather well.

~~~
otterley
What are KML flat files? And how are you maintaining them without keeping the
secrets in plaintext in source control?

------
bluecmd
Why no key rotation? I'd be very careful with something that doesn't rotate
keys.

~~~
whisk3rs
Keys: KMS handles rotation of the master key automatically
([http://docs.aws.amazon.com/kms/latest/developerguide/rotate-...](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-
keys.html)). The ephemeral key used to encrypt values is changed any time a
value is set.

Values: [https://github.com/dcoker/biscuit#how-do-i-rotate-the-
values](https://github.com/dcoker/biscuit#how-do-i-rotate-the-values)

------
moondev
I feel like this problem is already solved with iam ec2 instance roles

[http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-
roles...](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-
amazon-ec2.html)

~~~
manojlds
You need to look at this tool and understand what it does.

~~~
matt_wulfeck
Fair enough, but IAM roles does fit all of the requirements listed in the "is
biscuit right for me?" section.

------
Xorlev
Somewhat off-topic, but I read dcoker's username as docker at first and was
fairly confused as to why docker was producing something like this just for
AWS.

