←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 2 comments | 03 Jul 25 06:44 UTC | HN request time: 0.587s | source
Show context
frollogaston ◴[03 Jul 25 15:42 UTC] No.44456193[source]
For a long time and probably still today, Google AppEngine kinda encouraged storing secrets in the YAML, which is easy to accidentally git-commit. There's no easy way to pass secrets to your services otherwise, unlike Heroku etc where it's always been a single command to put them into envvars on the jobs.

Last time I tried, the default suggestion was Cloud KMS (yeah), now there's some new secret manager that also looks annoying: https://stackoverflow.com/questions/58371905/how-to-handle-s...

replies(1): >>44456971 #
null_deref ◴[03 Jul 25 16:50 UTC] No.44456971[source]
And can we talk about the predatory pricing model? In AWS one secret service prices a secret for 0.4 dollars a month. I was appalled when I first saw it, are you going to charge me 5$ a year for storing my 12 bytes?
replies(1): >>44457786 #
bdcravens ◴[03 Jul 25 18:16 UTC] No.44457786[source]
If all you're doing is storing, and not using advanced features like auto rotation, Parameter Store is free for most use cases.
replies(1): >>44459248 #
1. null_deref ◴[03 Jul 25 21:13 UTC] No.44459248[source]
Ok I may have misread the pricing model, I’ll look into it, thanks!
replies(1): >>44459858 #
2. bdcravens ◴[03 Jul 25 23:07 UTC] No.44459858[source]
To be clear, Parameter Store is a separate product from Secrets Manager, but is essentially the same thing without features like the UI, key rotation, etc. Functionally though, they're the same (for example, passing secrets into an ECS container is just a matter of passing the ARN)