We use YAML for configuration of many things - Concourse pipelines, BOSH deployments, Cloud Foundry applications, and more. And we continually want to be more secure with how we handle our secrets.

Two tools can be used together to help:

  • Hashicorp vault for storing secrets
  • Geoff Franks spruce for merging vault secrets into YAML files.

To quickly see them in action, run Vault in local dev mode (in-memory, http only, unsealed).

$ vault server -dev

[editor: of course, you wouldn't run vault in -dev mode in production]

In another window, pretend to store your master AWS secrets into your Vault:

$ export VAULT_ADDR=http://127.0.0.1:8200
$ vault write secret/aws/starkandwayne access=XXX secret=YYY
Success! Data written to: secret/aws/starkandwayne  

To confirm that there is both access and secret keys stored in Vault:

$ vault read secret/aws/starkandwayne
Key                 Value  
---                 -----
refresh_interval    2592000  
access              XXX  
secret              YYY  

Now create your publicly publishable YAML config file, that references your vault path:

---
s3:  
  aws:
    access_key: (( vault "secret/aws/starkandwayne:access" ))
    secret_key: (( vault "secret/aws/starkandwayne:secret" ))

This configuration file can now be included in OSS/public repositories because the secrets are stored in Vault.

Only you (or your team that has access to a Vault with the same keys) can now merge in the values with spruce):

$ spruce merge base.yml

The output will include the secrets:

s3:  
  aws:
    access_key: XXX
    secret_key: YYY

Learn more about Vault, Spruce and how we're using them with https://www.starkandwayne.com/blog/standing-up-vault-using-genesis/