brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(kb): introduce secrets management

Browse Source
This commit is contained in:
Michele Cereda
2025-08-02 22:47:51 +02:00
parent 5a30a80597
commit 1f2259ad91
10 changed files with 340 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
knowledge base/cloud computing/aws/README.md
View File

@@ -227,6 +227,7 @@ One can can rapidly remapping addresses to other instances in one's account and
| [Route53] | DNS |
| [S3] | Storage |
| [Sagemaker] | Machine learning |
| [Secrets Manager] | Secrets management |
| [Security Hub] | Aggregator for security findings |
| [SNS] | Pub/sub message delivery |
| [SQS] | Queues |
@@ -895,6 +896,7 @@ machine if not.
[route53]: route53.md
[s3]: s3.md
[sagemaker]: sagemaker.md
[secrets manager]: secrets%20manager.md
[sns]: sns.md
[sqs]: sqs.md

74
knowledge base/cloud computing/aws/secrets manager.md Normal file
View File

@@ -0,0 +1,74 @@
# AWS Secrets Manager
AWS' native secrets management service.
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
Provides integration with the AWS ecosystem and has automatic rotation capabilities specifically designed for AWS
services.
Offers precise access control to each secret via fine-grained IAM permissions with resource-based policies.<br/>
Supports VPC endpoints to enables private network access without the need for Internet routing. Optimal for air-gapped
or highly secure environments.<br/>
Critical secrets can be replicated cross-region.
Costs $0.40 per secret per month, plus $0.05 per 10,000 API calls.<br/>
Secrets that are marked for deletion are not paid for.
Secrets Manager uses keys from KMS to encrypt the secrets it manages.<br/>
On first use, Secrets Manager creates the AWS-managed key `aws/secretsmanager` to encrypt the secrets given to it. There
is **no** cost for using this key.<br/>
When _automatic_ rotation is turned on for a secret, Secrets Manager uses a Lambda function to rotate it. The use of the
Lambda function is charged at the current Lambda rate.
The rotation function is **not** called for secrets using _managed_ rotation.
Logs of the API calls that Secrets Manager sends out are sent to CloudTrail, if it is enabled. Costs for CloudTrail are
**in addition** to the ones incurred by using Secrets Manager.
```sh
aws secretsmanager create-secret --name 'TestSecretFromFile' --secret-string 'file://gcp_credentials.json'
aws secretsmanager create-secret \
--name 'MyTestSecret' --description 'A test secret created with the CLI.' \
--secret-string '{"user":"diego","password":"EXAMPLE-PASSWORD"}' \
--tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'
```
Secrets can be any text or binary up to 65536 bytes (64KB).<br/>
Should one want to automatically rotate them, they must contain the specific JSON fields that the rotation function
expects. Refer the [JSON structure of AWS Secrets Manager secrets].
Secret have versions that hold copies of their encrypted value.<br/>
When changing the secret value, or when the secret is rotated, Secrets Manager creates a new version and serves that by
default. The old version is kept (up to a point), but not accessed unless specifically requested.
One can access a secret across multiple Regions by replicating it.<br/>
When replicating a secret, Secrets Manager creates a copy of the original (A.K.A. _primary_) secret. That copy is known
as a _replica_ secret.<br/>
The replica secret remains linked to the primary secret, and is updated when a new version of the primary is created.
Secrets Manager uses [IAM] to allow only authorized users to access or modify a secret.
_Managed_ secrets are created and managed by the AWS service that created them.<br/>
The managing service might also restrict users from updating secrets, or deleting them without a recovery period.<br/>
Managed secrets use a naming convention that includes the ID of the service managing them.
## Further readings
### Sources
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
[IAM]: iam.md
<!-- Upstream -->
<!-- Others -->
[JSON structure of AWS Secrets Manager secrets]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html

2
knowledge base/grafana.md
View File

@@ -337,7 +337,7 @@ All the references in the [further readings] section, plus the following:
[further readings]: #further-readings
<!-- Knowledge base -->
[Hashicorp Vault]: vault.md
[HashiCorp Vault]: hashicorp%20vault.md
[loki]: loki.md
[prometheus]: prometheus/README.md

15
knowledge base/vault.md → knowledge base/hashicorp vault.md
View File

@@ -1,6 +1,4 @@
# Hashicorp Vault
## Table of contents <!-- omit in toc -->
# HashiCorp Vault
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
@@ -38,11 +36,16 @@ vault read -format 'json' 'secret/data/demo-app/config'
## Further readings
- [HashiCorp Vault]
- [Website]
- [Secrets management]
<!--
References
Reference
═╬═Time══
-->
<!-- Knowledge base -->
[Secrets management]: secrets%20management.md
<!-- Upstream -->
[hashicorp vault]: https://www.vaultproject.io/
[Website]: https://www.vaultproject.io/

72
knowledge base/infisical.md Normal file
View File

@@ -0,0 +1,72 @@
# Infisical
Open-source platform for [secrets management], PKI, and SSH access.<br/>
Centralizes application configuration, secrets and credentials management, and PKI management.
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
_Identities_ are user or machine accounts. Each of them gets assigned sets of roles and permissions.<br/>
They can manage secrets in _clients_ after whey verified themselves through authentication.
_Clients_ are Infisical-developed tools for managing secrets in various infrastructure components.
<!-- Uncomment if used
<details>
<summary>Setup</summary>
```sh
```
</details>
-->
<!-- Uncomment if used
<details>
<summary>Usage</summary>
```sh
```
</details>
-->
<!-- Uncomment if used
<details>
<summary>Real world use cases</summary>
```sh
```
</details>
-->
## Further readings
- [Website]
- [Codebase]
- [Secrets management]
### Sources
- [Documentation]
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
[Secrets management]: secrets%20management.md
<!-- Files -->
<!-- Upstream -->
[codebase]: https://github.com/Infisical/infisical
[documentation]: https://infisical.com/docs
[website]: https://infisical.com/
<!-- Others -->

1
knowledge base/jargon.md
View File

@@ -69,6 +69,7 @@
| HPC | High Performance Computing | Collections of systems and tools used to achieve a greater processing capacity than the single unit |
| IaC | [Infrastructure as Code][iac] | |
| IC | Integrated Circuit | |
| IDP | Internal Developer Platform | |
| IIRC | If I Remember/Recall Correctly | |
| IoT | Internet of Things | Also see [LoRa] |
| IP | Internet Protocol | |

8
knowledge base/openssl.md
View File

@@ -125,8 +125,10 @@ $ openssl req -x509 -out 'cert.pem' \
-newkey 'rsa:4096' -keyout 'key.pem' -days '365' -nodes \
-subj "/C=NL/ST=Nederlands/L=Amsterdam/O=Mek Net/OU=Org/CN=mek.info"
Generating a 4096 bit RSA private key
..............................................................................................................................................................................................................................++
...........................................................................................................................................................................++
........................................................................................................................
......................................................................................................++
........................................................................................................................
...................................................++
writing new private key to 'key.pem'
-----
@@ -220,6 +222,7 @@ See [code 20](#code-20-unable-to-get-local-issuer-certificate).
- [Verify certificate chain with OpenSSL]
- [How to put domain correctly in CSR?]
- [OpenSSL command cheatsheet]
- [The Only OpenSSL CheatSheet You Will Need!]
<!--
Reference
@@ -236,4 +239,5 @@ See [code 20](#code-20-unable-to-get-local-issuer-certificate).
[openssl commands to check and verify your ssl certificate, key and csr]: https://www.ibm.com/support/pages/openssl-commands-check-and-verify-your-ssl-certificate-key-and-csr
[openssl unable to verify the first certificate for experian url]: https://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url
[the most common openssl commands]: https://www.sslshopper.com/article-most-common-openssl-commands.html
[The Only OpenSSL CheatSheet You Will Need!]: https://www.golinuxcloud.com/openssl-cheatsheet
[verify certificate chain with openssl]: https://www.itsfullofstars.de/2016/02/verify-certificate-chain-with-openssl/

141
knowledge base/pulumi.md
View File

@@ -1,23 +1,26 @@
# Pulumi
1. [TL;DR](#tldr)
1. [Project](#project)
1. [Program](#program)
1. [Projects](#projects)
1. [Programs](#programs)
1. [Ignore changes](#ignore-changes)
1. [Delete before replacing](#delete-before-replacing)
1. [Assign tags to resources by default](#assign-tags-to-resources-by-default)
1. [Outputs](#outputs)
1. [Policy enforcement](#policy-enforcement)
1. [Stack](#stack)
1. [Stacks](#stacks)
1. [Monolith vs micro-stack](#monolith-vs-micro-stack)
1. [State](#state)
1. [Configuration](#configuration)
1. [Backend](#backend)
1. [States](#states)
1. [Configurations](#configurations)
1. [Backends](#backends)
1. [Enforce specific backends for projects](#enforce-specific-backends-for-projects)
1. [Migrate to different backends](#migrate-to-different-backends)
1. [Compose resources](#compose-resources)
1. [Import resources](#import-resources)
1. [Composing resources](#composing-resources)
1. [Importing resources](#importing-resources)
1. [Import components and their children](#import-components-and-their-children)
1. [Pulumi Cloud](#pulumi-cloud)
1. [ESC](#esc)
1. [IDP](#idp)
1. [Troubleshooting](#troubleshooting)
1. [A project with the same name already exists](#a-project-with-the-same-name-already-exists)
1. [Assume role with MFA enabled but AssumeRoleTokenProvider session option not set](#assume-role-with-mfa-enabled-but-assumeroletokenprovider-session-option-not-set)
@@ -27,18 +30,18 @@
1. [Stack init fails due to missing scheme](#stack-init-fails-due-to-missing-scheme)
1. [Stack init fails due to invalid key identifier](#stack-init-fails-due-to-invalid-key-identifier)
1. [Further readings](#further-readings)
1. [Sources](#sources)
1. [Sources](#sources)
## TL;DR
| Concept | ELI5 summary | Notes |
| --------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| [Project] | Any folder that contains a `Pulumi.yaml` file | Collection of code |
| [Program] | The code in a project | Defines resources |
| [Stack] | An isolated, independent instance of a _program_ | Has its own _configuration_ and _state_<br/>Usually defines an environment or branch |
| [Configuration] | The specific data used in a _stack_ | Each _stack_ has its own _configuration_ |
| [State] | Metadata about resources in a _stack_ | Each _stack_ has its own _state_ |
| [Backend] | Storage place for one or more _projects_' sets of _states_ | |
| Concept | ELI5 summary | Notes |
| ------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| [Project][projects] | Any folder that contains a `Pulumi.yaml` file | Collection of code |
| [Program][programs] | The code in a project | Defines resources |
| [Stack][stacks] | An isolated, independent instance of a _program_ | Has its own _configuration_ and _state_<br/>Usually defines an environment or branch |
| [Configuration][configurations] | The specific data used in a _stack_ | Each _stack_ has its own _configuration_ |
| [State][states] | Metadata about resources in a _stack_ | Each _stack_ has its own _state_ |
| [Backend][backends] | Storage place for one or more _projects_' sets of _states_ | |
When a stack is not explicitly requested in a command (`-s`, `--stack`), Pulumi defaults to the currently selected
one.<br/>
@@ -511,9 +514,9 @@ Learning resources:
- [Code examples]
- [Resources reference]
## Project
## Projects
Refer to [projects] for more and updated information.
Refer [Project][pulumi projects] for more and updated information.
Projects are collections of code.<br/>
Namely, they are the folders containing a `Pulumi.yaml` project file.<br/>
@@ -537,10 +540,10 @@ pulumi new 'kubernetes-yaml' --generate-only
pulumi new 'oci-java'
```
## Program
## Programs
Programs are the the files containing the resources' definitions.<br/>
They are deployed into [stacks][stack].
They are deployed into [stacks].
### Ignore changes
@@ -628,30 +631,30 @@ TODO
See [Automatically Enforcing AWS Resource Tagging Policies], [Get started with Pulumi policy as code].
## Stack
## Stacks
Refer to [stacks] for more and updated information.
Refer [Stack][pulumi stack] for more and updated information.
Single isolated, independent instance of a [program].<br/>
Single isolated, independent instance of a [program][programs].<br/>
Each stack has its own separate set of configuration and secrets, role-based access controls (RBAC), policies and
resources.
The stack name can be specified in one of these formats:
- `stackName`: identifies the stack named `stackName` in the current user account or default organization.<br/>
Its [project] is specified by the nearest `Pulumi.yaml` project file.
Its [project][projects] is specified by the nearest `Pulumi.yaml` project file.
- `orgName/stackName`: identifies the stack named `stackName` in the organization named `orgName`<br/>
Its [project] is specified by the nearest `Pulumi.yaml` project file.
Its [project][projects] is specified by the nearest `Pulumi.yaml` project file.
- `orgName/projectName/stackName`: identifies the stack named `stackName` for the project named `projectName` in the
organization named `orgName`.<br/>
`projectName` must match the project specified by the nearest `Pulumi.yaml` project file.
For self-managed [backends][backend], the `orgName` portion of the stack name must always be the constant string value
For self-managed [backends], the `orgName` portion of the stack name must always be the constant string value
`organization`.
### Monolith vs micro-stack
Refer to [organizing pulumi projects & stacks] for more and updated information.
Refer [Organizing pulumi projects & stacks] for more and updated information.
Monoliths are single, big projects defining all the resources (infrastructure, application, others) for an entire set of
services.<br/>
@@ -718,24 +721,23 @@ root/
└── app/…
```
### State
### States
Refer to [state] for more and updated information.
Refer [State][pulumi state] for more and updated information.
Every [stack] has its own state.
Every [Stack][stacks] has its own state.
States are stored in transactional snapshots called _checkpoints_ and are saved as JSON files.<br/>
Pulumi records checkpoints early and often, so that it can execute similarly to how database transactions work.<br/>
Checkpoints are stored in the [backend], under the `.pulumi/stacks/{project.name}` folder. See the
[backend] section for details.
Checkpoints are stored in the stack's [backend][backends], under the `.pulumi/stacks/{project.name}` folder.
### Configuration
### Configurations
TODO
## Backend
## Backends
Refer to [state] for more and updated information.
Refer [State][pulumi state] for more and updated information.
> Pulumi is designed to use only a single backend at a time.
@@ -760,7 +762,7 @@ The Pulumi Cloud backend records every checkpoint to allow to recover from exoti
Self-managed backends may have more trouble recovering from these situations, as they typically store a single state
file instead.
Backends store the states of one or more [stacks][stack], divided by [project].
Backends store the states of one or more [stacks], divided by [project][projects].
Everything **but** the credentials for the backend (`~/.pulumi/credentials.json`) is stored in the backend's root
directory, under the `.pulumi` folder:
@@ -881,9 +883,9 @@ backend:
cat 'Pulumi.mario.yaml'
```
## Compose resources
## Composing resources
FIXME: should this be under [Program]?
FIXME: should this be under [Programs]?
Refer [Component resources] and [Create a ComponentResource].
@@ -1166,9 +1168,9 @@ serviceRole.assumeRole.iamPolicy.name.apply(policyName => console.log(policyName
</details>
## Import resources
## Importing resources
FIXME: should this be under [Program] or [Stack]?
FIXME: should this be under [Programs] or [Stacks]?
Existing resources can be imported in Pulumi's states for Pulumi to manage.
@@ -1347,6 +1349,35 @@ $ pulumi preview
</details>
## Pulumi Cloud
### ESC
Environments, Secrets, and Configuration.
Integrates with most popular secrets stores to pull and synchronize secrets and configuration data.
Refer [Pulumi ESC][pulumi esc docs] for more and updated information.
> [!important]
> ESC is currently provided **exclusively** as part of Pulumi Cloud. One **will** need to create a Pulumi account to be
> able to use it.
### IDP
Internal Developer Platform.
Allows defining building blocks using [components][composing resources] and templates, enabling developers to provision
infrastructure resources in the way that best suits them.<br/>
Developers can write Pulumi programs in their preferred programming language, scaffold components using low-code YAML
templates, or deploy no-code programs from the Pulumi console.
Refer [Pulumi IDP][pulumi idp docs] for more and updated information.
> [!important]
> IDP is currently provided **exclusively** as part of the Enterprise tier of Pulumi Cloud. One **will** need to create
> a Pulumi account to be able to use it.
## Troubleshooting
### A project with the same name already exists
@@ -1484,8 +1515,6 @@ Solution: Read [secrets], and fix the configuration by providing a correct key i
### Sources
- [Documentation]
- [Stacks]
- [State]
- [Assigning tags by default on AWS with Pulumi]
- [Organizing Pulumi projects & stacks]
- [Aligning Projects between Service and Self-Managed Backends]
@@ -1508,16 +1537,18 @@ Solution: Read [secrets], and fix the configuration by providing a correct key i
-->
<!-- In-article sections -->
[backend]: #backend
[configuration]: #configuration
[enforce specific backends for projects]: #enforce-specific-backends-for-projects
[monolith vs micro-stack]: #monolith-vs-micro-stack
[program]: #program
[project]: #project
[stack]: #stack
[Backends]: #backends
[Configurations]: #configurations
[Enforce specific backends for projects]: #enforce-specific-backends-for-projects
[Monolith vs micro-stack]: #monolith-vs-micro-stack
[Programs]: #programs
[Projects]: #projects
[Stacks]: #stacks
[States]: #states
[Composing resources]: #composing-resources
<!-- Knowledge base -->
[terraform]: terraform.md
[Terraform]: terraform.md
<!-- Files -->
<!-- Upstream -->
@@ -1535,21 +1566,23 @@ Solution: Read [secrets], and fix the configuration by providing a correct key i
[ignorechanges]: https://www.pulumi.com/docs/concepts/options/ignorechanges/
[importing resources]: https://www.pulumi.com/docs/iac/adopting-pulumi/import/
[organizing pulumi projects & stacks]: https://www.pulumi.com/docs/using-pulumi/organizing-projects-stacks/
[projects]: https://www.pulumi.com/docs/concepts/projects/
[property paths]: https://www.pulumi.com/docs/iac/concepts/miscellaneous/property-paths/
[pulumi config set-all]: https://www.pulumi.com/docs/cli/commands/pulumi_config_set-all/
[pulumi crosswalk for aws]: https://www.pulumi.com/docs/iac/clouds/aws/guides/
[pulumi esc docs]: https://www.pulumi.com/docs/esc/
[pulumi idp docs]: https://www.pulumi.com/docs/idp/
[pulumi import]: https://www.pulumi.com/docs/iac/cli/commands/pulumi_import/
[pulumi new]: https://www.pulumi.com/docs/cli/commands/pulumi_new/
[pulumi preview]: https://www.pulumi.com/docs/iac/cli/commands/pulumi_preview/
[pulumi projects]: https://www.pulumi.com/docs/concepts/projects/
[pulumi stack]: https://www.pulumi.com/docs/concepts/stack/
[pulumi state]: https://www.pulumi.com/docs/concepts/state/
[pulumi troubleshooting]: https://www.pulumi.com/docs/support/troubleshooting/
[pulumi up --plan without error message (exit code 255)]: https://github.com/pulumi/pulumi/issues/11303#issuecomment-1311365793
[pulumi-aws/issues/1366]: https://github.com/pulumi/pulumi-aws/issues/1366
[resources reference]: https://www.pulumi.com/resources
[secrets]: https://www.pulumi.com/docs/concepts/secrets/
[stack references]: https://www.pulumi.com/docs/concepts/stack/#stackreferences
[stacks]: https://www.pulumi.com/docs/concepts/stack/
[state]: https://www.pulumi.com/docs/concepts/state/
[update plans]: https://www.pulumi.com/docs/concepts/update-plans/
[website]: https://www.pulumi.com/
[workshops]: https://github.com/pulumi/workshops

76
knowledge base/secrets management.md Normal file
View File

@@ -0,0 +1,76 @@
# Secrets management
1. [TL;DR](#tldr)
1. [The problem at hand](#the-problem-at-hand)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
_Vaults_ and _secrets managers_ are centralized solution that manage secrets.<br/>
Examples: [HashiCorp Vault], [OpenBao], [Bitwarden Secrets Manager], [1Password Secrets Automation], [CyberArk Conjur],
[Akeyless].
_Secrets orchestration platforms_ offer a transparent access point for users while being a vault itself and/or syncing
secrets between multiple other vaults and secrets managers.<br/>
Examples: [Doppler], [Infisical], [Pulumi ESC].
Solutions should be easy to use and get **out** of their users' way, so that they can be more easily adopted.
## The problem at hand
Secrets are usually bad managed in local development environments.<br/>
The process of grabbing all required secrets on local machines is often manual, cumbersome, and prone to errors.<br/>
This causes the onboarding process to slow down, and encourages developers to follow insecure practices when sharing
secrets.
Saving secrets in (possibly encrypted) git-tracked files (e.g. `.env`) still lacks the level of syncing teams might
require.<br/>
Even if notified, developers don't usually pull the updated files nor make all the required adjustments immediately,
likely being then forced to lose time debugging issues due to deprecated or changed data.
Even with a working synchronization process, it's common for developers to accidentally leak secrets as part of
commits.<br/>
As soon as a secret is part of the git history, it becomes a security issue and it is hard to get it removed
properly.<br/>
Though git hooks exist, it is likely for them to be misconfigured or simply skipped (`git commit --no-verify`).
Having a centralized solution to manage secrets can come to the rescue, as long as it is adopted profusely.<br/>
The only way this can happen is if that solution is easy to use and manage, and get **out** of the way of
developers.<br/>
_Vaults_ and _secrets managers_ usually do a good job for this.
Tools might also integrate with or support only one or a small set of solutions, limiting the choice of platforms.<br/>
It would be good to have a way to sync secrets between multiple platforms. Even better, to use a single access point to
abstract the sync process and make it transparent.<br/>
This is what _secrets orchestration platforms_ try to solve.
## Further readings
- [HashiCorp Vault]
- [Infisical]
### Sources
- [Secrets Management Tools: The Complete 2025 Guide]
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
[HashiCorp Vault]: hashicorp%20vault.md
[Infisical]: infisical.md
[Pulumi ESC]: pulumi.md#esc
<!-- Files -->
<!-- Others -->
[1Password Secrets Automation]: https://1password.com/developers/secrets-management
[Akeyless]: https://www.akeyless.io/
[Bitwarden secrets manager]: https://bitwarden.com/products/secrets-manager/
[CyberArk Conjur]: https://www.conjur.org/
[Doppler]: https://www.doppler.com/
[OpenBao]: https://openbao.org/
[Secrets Management Tools: The Complete 2025 Guide]: https://www.pulumi.com/blog/secrets-management-tools-guide/