
Show HN: Alohomora – secret distribution over credstash - captn3m0
https://github.com/razorpay/alohomora
======
ImJasonH
Wouldn't the Fidelius Charm be a more appropriate Harry Potter reference? :)

[http://harrypotter.wikia.com/wiki/Fidelius_Charm](http://harrypotter.wikia.com/wiki/Fidelius_Charm)

------
sandGorgon
Pretty interesting. Does this fit in with Vault
([https://www.vaultproject.io](https://www.vaultproject.io)) or is it an
alternative?

------
jwineinger
Don't use credstash; we've had much pain with it. Many breaking changes not
documented as such.

Move to AWS Parameter Store or AWS Secret Manager.

~~~
lenova
Just out of curiousity, what broke? (I'm using it and haven't ran into issues,
but always interested in hearing about other's experiences so I can
proactively avoid the same issues).

~~~
jwineinger
It has been a while but the issues that are coming to mind are: \- A (semver)
patch version after 1.13.0 made a backwards incompatible change to the way the
hmac field was stored in dynamo, IIRC. This broke older versions and
alternative implementations (jcredstash) ability to read secrets stored by
newer versions. IIRC it was some double base64-encoding issue or something
like that. \- Early versions of credstash didn't use zero padded version
numbers, and then later versions switched. This was documented but still
caused some headaches. \- Recently coworkers have made some noise about
incompatibility with python3. I haven't had a chance to evaluate that though.

Not a breakage, but annoyance: \- Lack of handling pagination for dynamo
queries so you only get a list of the secrets+versions that are returned in
the first page of results. We don't need to list all that often, but when you
do... (rage). I would end up having to make queries against the dynamo table
itself to find available secret names or versions.

Finally, it is much slower than using SSM parameters. It was a usable but
warty tech for a while, but now that AWS has native support for storing
secrets there seems little reason to continue with it.

