|
1 | | -# Serverless Secrets |
2 | | -## MAKE SECRETS GREAT AGAIN |
| 1 | +# Serverless Secrets : MAKE SECRETS GREAT AGAIN |
3 | 2 |
|
4 | | -*A no fuss way of getting secrets into your Serverless functions, compatible with credstash* |
| 3 | +*A no fuss way of getting secrets into your Serverless functions, compatible with [Credstash](https://github.com/fugue/credstash)* |
5 | 4 |
|
6 | 5 | # WARNING: STILL SUPER IN DEVELOPMENT, DON'T ACTUALLY USE THIS FOR PRODUCTION (Or look at the source code 😕) |
7 | 6 |
|
8 | 7 | **Problem:** The Serverless project currently offers no good way of managing secrets. There is the `_meta` folder which is ignored from a git repo by default, but what if you are working in a team? You could put it in the repo, but "secrets" in a git repo is bad practice. |
9 | 8 |
|
10 | | -So, what if you could put `_meta` in a secure place and share it around the team? That's what Serverless S3 meta sync is for... but, then you still have secrets either floating around on developers machines, things could still be out of sync, you have to access control the files to proper machines in your pipeline... it's all not fun. |
| 9 | +So, what if you could put `_meta` in a secure place and share it around the team? That's what [Serverless meta sync](https://github.com/serverless/serverless-meta-sync) is for... but, then you still have secrets either floating around on developers machines, things could still be out of sync, you have to access control the files to proper machines in your pipeline... it's all not fun. |
11 | 10 |
|
12 | | -**Solution:** The `_meta` folder is actually quite good at what it does, and in our humble opinion version controlling it in git is fine, if you had a way to still protect your secrets. So, that's why we built Severless Secrets. Use Credstash to put / version / manage your secrets, and use magic strings in your `_meta` folder. That's it. |
| 11 | +**Solution:** The `_meta` folder is actually quite good at what it does, and in our humble opinion version controlling it in git is fine, if you had a way to still protect your secrets. So, that's why we are building Severless Secrets. Use [Credstash](https://github.com/fugue/credstash) to put / version / manage your secrets, and use magic strings in your `_meta` folder. That's it. |
13 | 12 |
|
14 | 13 |
|
15 | 14 | # Setup |
@@ -41,7 +40,7 @@ Configure the IAM policy for the lambda functions that will use encrypted secret |
41 | 40 | } |
42 | 41 | ``` |
43 | 42 |
|
44 | | -Use the magic string in your `_meta`folder to denote an encrypted secret. Prefixing any variable with `secret::` tells the plugin to fetch and decrypt it. Postfixing a secret with `::{version}` tells it to fetch a version of the given number. (You could probably use alphanumberic too if you wanted.) |
| 43 | +Use the magic string in your `_meta`folder to denote an encrypted secret. Prefixing any variable with `secret::` tells the plugin to fetch and decrypt it. Postfixing a secret with `::{version}` tells it to fetch a version of the given number. (You could probably use alphanumeric too if you wanted.) |
45 | 44 | ``` |
46 | 45 | # _meta/variables/s-variables-common.json |
47 | 46 | # _meta/variables/s-variables-stage.json |
|
0 commit comments