Hacker News new | comments | show | ask | jobs | submit login
Show HN: Alohomora – secret distribution over credstash (github.com)
22 points by captn3m0 3 months ago | hide | past | web | favorite | 5 comments



Wouldn't the Fidelius Charm be a more appropriate Harry Potter reference? :)

http://harrypotter.wikia.com/wiki/Fidelius_Charm


Pretty interesting. Does this fit in with Vault (https://www.vaultproject.io) or is it an alternative?


Don't use credstash; we've had much pain with it. Many breaking changes not documented as such.

Move to AWS Parameter Store or AWS Secret Manager.


Just out of curiousity, what broke? (I'm using it and haven't ran into issues, but always interested in hearing about other's experiences so I can proactively avoid the same issues).


It has been a while but the issues that are coming to mind are: - A (semver) patch version after 1.13.0 made a backwards incompatible change to the way the hmac field was stored in dynamo, IIRC. This broke older versions and alternative implementations (jcredstash) ability to read secrets stored by newer versions. IIRC it was some double base64-encoding issue or something like that. - Early versions of credstash didn't use zero padded version numbers, and then later versions switched. This was documented but still caused some headaches. - Recently coworkers have made some noise about incompatibility with python3. I haven't had a chance to evaluate that though.

Not a breakage, but annoyance: - Lack of handling pagination for dynamo queries so you only get a list of the secrets+versions that are returned in the first page of results. We don't need to list all that often, but when you do... (rage). I would end up having to make queries against the dynamo table itself to find available secret names or versions.

Finally, it is much slower than using SSM parameters. It was a usable but warty tech for a while, but now that AWS has native support for storing secrets there seems little reason to continue with it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: