Hacker News new | past | comments | ask | show | jobs | submit login
Biscuit: a multi-region key value store for your AWS infrastructure secrets (github.com/dcoker)
111 points by ptest1 on July 17, 2016 | hide | past | favorite | 18 comments

The project is nice, but I'm gonna have to stick with Vault as I like the flexibility of storage backends and not locked into AWS for enterprise-y apps that can't go to AWS.

How does Vault verify the identity of the host requesting access to the credentials? I didn't find anything in the documentation that would give me information pertaining to that.

It doesn't, at least not by itself. There are ways to make it work, though, if you're clever. We've got an internal daemon that watches for instance launches via SNS notifications (published to an SQS queue); the daemon then requests a bootstrap token from Vault on behalf of the new instance and passes it to the instance via another SQS queue.

The new instance then consumes the bootstrap token from the queue and exchanges it for whatever other tokens it has permission to obtain.

You can use the new AWS-EC2 auth backend in Vault 0.6


That backend is very nascent, so don't oversell it. It currently is AMI dependent, making it next to useless for a lot of teams.

This is also similiar to Sneaker (https://github.com/codahale/sneaker), which is written in Go. It doesn't copy to other regions by default, but it's not hard to handle that on your own. This also uses KMS, but stores encrypted secrets in S3.

I prefer credstash (https://github.com/fugue/credstash) which uses KMS and stores encrypted values in dynamodb. It has built in ansible support via lookups too!

It looks like this is fairly similar to Mozilla sops[1].


I read the documentation but can't determine if sops supports credentials via IAM roles. Can anyone with experience chime in?

At work we use chef to deploy our credentials via KML flat files on the servers that require them. Works rather well.

What are KML flat files? And how are you maintaining them without keeping the secrets in plaintext in source control?

Why no key rotation? I'd be very careful with something that doesn't rotate keys.

Keys: KMS handles rotation of the master key automatically (http://docs.aws.amazon.com/kms/latest/developerguide/rotate-...). The ephemeral key used to encrypt values is changed any time a value is set.

Values: https://github.com/dcoker/biscuit#how-do-i-rotate-the-values

I feel like this problem is already solved with iam ec2 instance roles


You need to look at this tool and understand what it does.

Fair enough, but IAM roles does fit all of the requirements listed in the "is biscuit right for me?" section.

Somewhat off-topic, but I read dcoker's username as docker at first and was fairly confused as to why docker was producing something like this just for AWS.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact