we've got one file in repo called secrets.json, for brigade secret purposes, whole file is forwarded as secret to brigade project. Worker gets aws-details so using kms is able to decrypt file via sops.
- within
nix-shellrunsops secrets.json- will provide extra script for it latter (#TODO)
As docker credentials files are rubbish, there is a secret integration with sops. It allow to integrate with all cloud providers. I believe (at least for now) that keeping master password in cloud provider is way to go. Another way would be to go with gpg but I want to expect from anyone to install it to start.
- for AWS
- https://opensource.com/article/19/2/secrets-management-tools-git
- https://www.reddit.com/r/devops/comments/644fnr/am_i_misunderstanding_sops_here/
- https://github.com/StackExchange/blackbox
- https://github.com/AGWA/git-crypt
but ... cases like rotation/ /when someone is leaving might be trickier
- you are sharing just a reference and you have to have a account added to this reference, so if your credentials does not leak then should be fine - need to read more.