Secrets management #30
Comments
|
One problem that I have with AWS SM is that we need to be very careful. Not all admins of AWS account would be admin of the pytorch foundation. Those secrets as for now have app keys that are somewhat high level of access. |
|
We decided to go with 1password. We created a shared vault created called "Engineering" which we will use moving forward. |
@zxiiro who are those we? Is there a link to document of some sort? To the best of my knowledge, AWS Secrets Manager has never been compromised, while 1password was https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/ which would be my datapoint against 1password |
|
@malfet I discussed with @jeanschmidt and he stated he'd prefer 1password. In his comment above mine he stated that he had concerns about using AWS Secrets Manager. |
|
I think at the moment whether we use AWS SM or 1Password it doesn't really matter too much but if we're thinking about supporting a multicloud environment 1Password is probably the better choice. |
The environment variables storing secrets can now be loaded from
the 1password vault. This requires a new command to setup the
environment variables before passing to make.
op run --env-file make.env -- make arc-canary
This also requires the 1password CLI to be installed.
Issue: #30
Ref: https://developer.1password.com/docs/cli/
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
The environment variables storing secrets can now be loaded from
the 1password vault. This requires a new command to setup the
environment variables before passing to make.
op run --env-file make.env -- make
This also requires the 1password CLI to be installed.
Issue: #30
Ref: https://developer.1password.com/docs/cli/
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
The environment variables storing secrets can now be loaded from
the 1password vault. This requires a new command to setup the
environment variables before passing to make.
op run --env-file make.env -- make
This also requires the 1password CLI to be installed.
Issue: #30
Ref: https://developer.1password.com/docs/cli/
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
We need to manage secrets in a safe and secure way so that folks working in CI can have the appropriate access to retrieve necessary secrets. Some ideas to investigate:
AWS Secrets Manager might be a good option since it's stored in our AWS Account and all ci-infra admins should be able to access it. It has Terraform provider too which we can use to retrieve as part of terraform commands.
The text was updated successfully, but these errors were encountered: