4 ways to inject secrets into an application

Mickaël Canévet - Aug 24 '20 - - Dev Community

Most applications require secrets, for example to connect to a database, communicate with another application using tokens or certificates, define an admin password…

Dealing with this is often a headache. Even when you have a proper secret management tool, it's sometimes a nightmare to inject the secrets into the application where it needs to be used.

The 4 ways

First way: build time

This is probably the worst way to do it.

Examples:

  • Build a WAR file, or a Docker image or any artifact with a configuration file that contains the secret in plain text.

Pros:

  • Your deployment tool does not need permissions to decrypt the secrets.

Cons:

  • Your whole artifact becomes a secret;
  • You have to rebuild and redeploy when you want to renew a secret.

Second way: deploy time

Examples:

  • Give a Continuous Deployment pipeline access to a secrets store an let it inject the secrets in the application's configuration files;
  • Give a Continuous Deployment tool, like ArgoCD, access to a secrets store an let it inject the secrets in the application's configuration files.

Pros:

  • You don't have to rebuild when you want to renew a secret.

Cons:

  • Your deployment tool needs permissions to retrieve and decrypt the secrets;
  • You have to redeploy when you want to renew a secret.

Third way: start time

Examples:

Pros:

  • Your deployment tool does not need permissions to decrypt the secrets;
  • You don't have to redeploy when you want to renew a secret.

Cons:

  • You need to restart your application when you want to renew a secret.

Forth way: run time

Examples:

  • AWS instance profiles;
  • HashiCorp Vault as secret store and Vault Agent Injector in sidecar mode.

Pros:

  • You can renew your secret without even having to restart your application, allowing a dynamic secrets mechanism.

Cons:

  • You probably need to adapt your application (or not if you already use an SDK that supports it).

Conclusion

Do you know any more ways to inject secrets in your applications? Let me know in the comments!

Image
How Do I Change Translated Language in YouTube Comments?

translatedyoutubecomment, youtubecommenttranslation, youtubelanguagesettings, youtubeautotranslation
Image
Coordinating multiple gesture recognizers

swift, uikit, animation
Image
Lesson 3 – Data Structures for Employee Management
Image
Découverte de l'Architecture Hexagonale : l'hexa c'est carré !

softwareengineering, cleanarchi, php, todayilearned
Image
How AI is Revolutionizing Customer Feedback for Local Businesses
Image
Beginner’s Guide to Web Development

webdev, beginners, programming, tutorial
Image
Why Use AWS App Runner?

aws, startup, devops, webdev
Image
Top 5 Tips for Move Out Cleaning in Brisbane

basic
Image
3D PRINTING IN EDUCATION
Image
Book Review: "A Philosophy of Software Design" by John Ousterhout

books, softwareengineering
Image
PRINTING FUTURE
Image
Day 2. Networking layer. 

android, 100daysofcode, kotlin, mobile
Image
AWS IAM User Access Keys are a force to be reckoned with & This is how it is done, on exposure !!

aws, security, permissions, iam
Image
Daily Market Recap: $BTC Retests $57K As Market Prepares for Fed Meeting - CoinStats Analytics
Image
Closures : Important concept in JavaScript

javascript, webdev, beginners, tutorial
Image
Microservices vs. Monolithic Architecture in .NET Applications

dotnet, microservices, systemdesign, programming
Image
Rust Jobs Report 2024 - 814+ Jobs from Amazon, Google, Microsoft, Apple ...

rust, hiring, discuss, news
Image
Git Get One File From Another Repo

git
Image
Building Your Own ChatGPT with Multimodal Data on a GPU Platform

spheron, aptos, gpu, llm
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player