Can secrets be updated only once when shared between services? about chamber HOT 3 CLOSED

@jleclanche I personally think we will eventually need an abstraction layer on top of parameter store to manage where keys go in the parameter store and which keys services have access to. We have about 600 items in our production account's parameter store and this is a problem I've heard from the GCP folks too.

The way I see it. The easiest way to share keys is by giving more access to services using IAM. Creating a shared "bucket".

$ chamber write c api_key abcdef1234

And give each service access to this shared bucket. Then you can your program like this.

$ chamber exec a c -- run

This has the downside that there can be a lot of connections and it can be difficult to grok.

from chamber.

Interesting approach! I hear you on scaling the management of it; it doesn't help that stuff can't be deleted :) (#20)

I quite like the idea of having chamber be responsible for allowing services access to other secrets, though. If you have to give access to multiple services like this, your deployment ends up looking like chamber exec cloudflare stripe paypal sentry loggly rds redshift -- run, it's a bit of a mess...

By the way, I'd be curious to hear whether you guys considered Credstash, which predates Chamber by quite a bit. It uses DynamoDB however; I'm not sure why chamber is the only one to use SSM Parameter Store though, I feel like I'm missing something about potential drawbacks to using it.

from chamber.

@jleclanche I'm like, 99.99% sure that parameter store is just AWS implementing credstash under the hood as an API.

from chamber.