Brian Vallelunga
๐ค PersonAppearances Over Time
Podcast Appearances
Yeah. Um, well, first off Doppler is super cheap. We're free actually to start. Um, so it doesn't get cheaper than that. Um, uh, yeah, it's free for the first three years users. And then it's basically GitHub priced from there. Um, so if you, if you're comfortable paying for GitHub, you should be comfortable paying for Doppler. Um, uh,
Yeah. Um, well, first off Doppler is super cheap. We're free actually to start. Um, so it doesn't get cheaper than that. Um, uh, yeah, it's free for the first three years users. And then it's basically GitHub priced from there. Um, so if you, if you're comfortable paying for GitHub, you should be comfortable paying for Doppler. Um, uh,
But let's just say you don't want to do that for whatever reason. I think the most important thing you can do if you're not going to use any tooling at all or bare minimum tooling is use like a cloud secrets provider, like AWS Secrets Manager, GCP Secrets Manager, and so on, and then build some tooling around it so that you can fetch secrets locally in development without them touching disk.
But let's just say you don't want to do that for whatever reason. I think the most important thing you can do if you're not going to use any tooling at all or bare minimum tooling is use like a cloud secrets provider, like AWS Secrets Manager, GCP Secrets Manager, and so on, and then build some tooling around it so that you can fetch secrets locally in development without them touching disk.
So what you need to do is have some wrapper around your application that starts your application. So I'd imagine the workflow would be like fetch secrets from AWS Secrets Manager, inject them into the environment or write them to an encrypted file and then have the decryption key in the environment, either path works.
So what you need to do is have some wrapper around your application that starts your application. So I'd imagine the workflow would be like fetch secrets from AWS Secrets Manager, inject them into the environment or write them to an encrypted file and then have the decryption key in the environment, either path works.
And then once the application starts, you clean up the environment and then load all your other dependencies. And if you did that, plus having your secrets in AWS Secrets Manager and that being the same process happening for production workloads, at least you've solved most of the risk, in my mind.
And then once the application starts, you clean up the environment and then load all your other dependencies. And if you did that, plus having your secrets in AWS Secrets Manager and that being the same process happening for production workloads, at least you've solved most of the risk, in my mind.
Also, when you're doing this and this where things get a little bit more of a burden because AWS managing privileges like IAM roles is quite complicated, in my opinion, is you're going to want to make sure that every individual developer and every developer set of infrastructure has their own identity.
Also, when you're doing this and this where things get a little bit more of a burden because AWS managing privileges like IAM roles is quite complicated, in my opinion, is you're going to want to make sure that every individual developer and every developer set of infrastructure has their own identity.
And that way you have robust audit logs of like, okay, the secret was taken by X developer at this time or read by this time. And we, we can, we have this auditor of what happened. Um, so you don't want to basically create one master. I am credential and just share it with your entire team because then you lose a lot of your auditing story along with it. Um,
And that way you have robust audit logs of like, okay, the secret was taken by X developer at this time or read by this time. And we, we can, we have this auditor of what happened. Um, so you don't want to basically create one master. I am credential and just share it with your entire team because then you lose a lot of your auditing story along with it. Um,
And you'll also probably want to set up, if you have a little bit of extra time to spend, an auditing story around reads. So every time a secret is downloaded from this endpoint, you're going to want to make sure that you have the right logging and auditing set up in AWS for that. And that you're actually looking at those logs and have analysis over those logs. Gotcha. Absolute bare minimum.
And you'll also probably want to set up, if you have a little bit of extra time to spend, an auditing story around reads. So every time a secret is downloaded from this endpoint, you're going to want to make sure that you have the right logging and auditing set up in AWS for that. And that you're actually looking at those logs and have analysis over those logs. Gotcha. Absolute bare minimum.
Less and less. So they added something called one password secrets automation. Everything that I've heard from my community is that they are not actively investing in that product anymore. And it's kind of like Shelfware now. Shelfware, I've never heard that. It's there, it's available, you can use it, but it's not actively being invested in. It's on the shelf.
Less and less. So they added something called one password secrets automation. Everything that I've heard from my community is that they are not actively investing in that product anymore. And it's kind of like Shelfware now. Shelfware, I've never heard that. It's there, it's available, you can use it, but it's not actively being invested in. It's on the shelf.
But the amount of people every year that I hear using it is less and less because, A, I think there's first-class products now that really work. And the amount of things that you want out of Secrets Manager is growing far faster than what they're adding to, which is at this pace, from my understanding, it's zero. But you can't do it.
But the amount of people every year that I hear using it is less and less because, A, I think there's first-class products now that really work. And the amount of things that you want out of Secrets Manager is growing far faster than what they're adding to, which is at this pace, from my understanding, it's zero. But you can't do it.
I mean, like Secrets Manager or 1Password is end-to-end encrypted. So like you're getting a lot of security benefits from that. So I'm not going to say, hey, don't ever use it. If it push came to shove, use it. I just think there's like far better things that are also easier to use and far better priced out there that are readily available.
I mean, like Secrets Manager or 1Password is end-to-end encrypted. So like you're getting a lot of security benefits from that. So I'm not going to say, hey, don't ever use it. If it push came to shove, use it. I just think there's like far better things that are also easier to use and far better priced out there that are readily available.