bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd16bf51763d5d7baede8bd186616bbcd57f4010
2nd/10_Wiki/Topics/DevOps_and_Security/Secret_Management.md
T
Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update
2026-05-10 22:08:15 +09:00

5.6 KiB
Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack
id title category status canonical_id aliases duplicate_of source_trust_level confidence_score verification_status tags raw_sources last_reinforced github_commit tech_stack
wiki-2026-0508-secret-management Secret Management 10_Wiki/Topics verified self
Secrets Management
Credential Management
Vault
none A 0.95 applied
security
devsecops
credentials
kms
2026-05-10 pending
language framework
multi vault-aws-kms

Secret Management

매 한 줄

"매 secret 은 매 git 에 절대 — 매 vault 에". Secret management 는 매 API key, DB password, certificate, signing key 의 매 lifecycle (issue, store, rotate, revoke, audit) 의 매 centralized control. 2026 현재 매 HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Doppler, Infisical 가 매 dominant; 매 SPIFFE/SPIRE workload identity, 매 short-lived (15min) tokens 가 매 long-lived API key 를 매 replace.

매 핵심

매 Anti-secrets

  • Hardcoded in source.
  • Plain in .env committed.
  • Shared via Slack DM.
  • Long-lived (years) static API keys.

매 Pillars

  • Encryption at rest: KMS-backed.
  • Encryption in transit: TLS-only.
  • Access control: RBAC + audit log.
  • Rotation: automated (DB pwd, KMS key).
  • Workload identity: 매 service ≠ user — 매 ephemeral token 의 매 cloud IAM.
  • Detection: 매 git pre-commit (gitleaks, trufflehog) + 매 GitHub secret scanning.

매 응용

  1. App → DB: dynamic creds.
  2. CI → cloud: OIDC federation, no static keys.
  3. K8s pod → AWS: IRSA / Workload Identity.
  4. Cross-service: SPIFFE SVID.

💻 패턴

Vault dynamic DB cred

vault write database/roles/app-readonly \
  db_name=postgres-prod \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl=1h max_ttl=24h

# App requests cred
vault read database/creds/app-readonly
# username: v-token-app-readonly-x9a..., password: A1b2C3..., lease_id: ..., lease_duration: 3600

GitHub Actions OIDC → AWS (no static keys)

permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123:role/github-deploy
          aws-region: us-east-1
      - run: aws s3 sync ./build s3://prod-bucket/

Pre-commit secret scan

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

App-side fetch with caching

import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";
const sm = new SecretsManagerClient({});
const cache = new Map<string, { value: any; expires: number }>();

async function getSecret(name: string): Promise<any> {
  const cached = cache.get(name);
  if (cached && cached.expires > Date.now()) return cached.value;
  const res = await sm.send(new GetSecretValueCommand({ SecretId: name }));
  const value = JSON.parse(res.SecretString!);
  cache.set(name, { value, expires: Date.now() + 5 * 60_000 });
  return value;
}

K8s External Secrets Operator

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata: { name: db-creds }
spec:
  refreshInterval: 1h
  secretStoreRef: { name: vault-backend, kind: ClusterSecretStore }
  target: { name: db-creds }
  data:
    - secretKey: password
      remoteRef: { key: database/creds/app, property: password }

Rotation Lambda

export async function rotateApiKey(event) {
  const step = event.Step;
  if (step === "createSecret") {
    const newKey = await crypto.randomUUID();
    await sm.putSecretValue({ SecretId: event.SecretId, ClientRequestToken: event.ClientRequestToken, SecretString: newKey, VersionStages: ["AWSPENDING"] });
  } else if (step === "setSecret") { /* configure target */ }
  else if (step === "testSecret") { /* test */ }
  else if (step === "finishSecret") {
    await sm.updateSecretVersionStage({ SecretId: event.SecretId, VersionStage: "AWSCURRENT", MoveToVersionId: event.ClientRequestToken });
  }
}

매 결정 기준

상황 Tool
매 multi-cloud, 매 self-host HashiCorp Vault
매 AWS-only Secrets Manager + Parameter Store
매 dev-friendly UX Doppler / Infisical
매 K8s External Secrets Operator + cloud KMS
매 workload-to-workload SPIFFE/SPIRE

기본값: Cloud-native (Secrets Manager) + OIDC for CI + ESO for K8s.

🔗 Graph

🤖 LLM 활용

언제: Secret-scanner triage (매 actual secret vs 매 test fixture?), rotation runbook generation, IAM policy synthesis from natural-language requirement. 언제 X: 매 secret 자체를 매 LLM context 에 매 넣지 마. 매 leak risk.

안티패턴

  • .env in git: 매 even private repo — 매 contributor leak.
  • Long-lived keys: 매 5-year IAM access key — 매 incident blast-radius huge.
  • Shared service account: 매 audit trail 의 매 useless.
  • Plain ENV var visible to all containers: 매 sidecar / multi-tenant — 매 leak.

🧪 검증 / 중복

  • Verified (NIST SP 800-57, OWASP ASVS V6, CIS Benchmarks).
  • 신뢰도 A.

🕓 Changelog

날짜 변경
2026-05-08 Phase 1
2026-05-10 Manual cleanup — OIDC federation + workload identity 2026
Reference in New Issue View Git Blame Copy Permalink