Comments (4)
Hello @DanyC97. The simple explanation is that I wrote credstash before hashicorp released vault :) I wrote the first super-hacky version in December 2014, right after AWS launched KMS and I wanted a simple utility that would use KMS to manage secrets used in shell scripts and bits of our CI/CD system. We used credstash internally (at Fugue) for several months before we Apache2'd it. A few days after we opened up credstash (https://blog.fugue.co/2015-04-21-aws-kms-secrets.html), hashicorp launched vault.
Vault is really neat and they do some cool things (dynamic secret generation, key-splitting to protect master keys, etc.), but there are still some reasons why you might pick credstash over vault:
- Nothing to run. If you want to run vault, you need to run the secret storage backend (consul or some other datastore), you need to run the vault server itself, etc. With credstash, there's nothing to run. all of the data and key storage is handled by AWS services
- lower cost for a small number of secrets. If you just need to store a small handful of secrets, you can easilly fit the credstash DDB table in the free tier, and pay ~$1 per month for KMS. So you get good secret management for about a buck a month.
- Simple operations. Similar to "nothing to run", you dont need to worry about getting a quorum of admins together to unseal your master keys, dont need to worry about monitoring, runbooks for when the secret service goes down, etc. It does expose you to risk of AWS outages, but if you're running on AWS, you have that anyway
That said, if you want to do master key splitting, are not running on AWS, care about things like dynamic secret generation, have a trust boundary that's smaller than an instance, or want to use something other than AWS creds for AuthN/AuthZ, then vault may be a better choice for you.
Hope that answers your question!
from credstash.
I'm going to close this, but feel free to re-open it if you have other questions
from credstash.
@alex-luminal much thanks!!
It does perfect sense what you wrote and i can see it an easy fit for using it instead of using data bag with chef.
Keep up the good work and don't give up on improving it. I'll try to integrate it with Saltstack and so will let you know once is ready.
Best,
Dani
from credstash.
no infrastructure to speak of, no servers to maintain, patch, monitor.
DynamoDB + KMS, with IAM roles for auth = simplicity, availability = winning
from credstash.
Related Issues (20)
- ResourceNotFoundException error after upgrade to 1.16.2 HOT 3
- Logging to file HOT 6
- Credstash unable to retrieve credentials using profile after upgrading to 1.16.2 HOT 3
- Credstash AttributeError error after upgrading to 1.16.2 HOT 3
- Credstash.log is created in current directory even when --log-file is provided. HOT 1
- Impossible to run version 1.16.2 of credstash in read-only filesystem HOT 1
- getSecret (et. al.) now raise SystemExit sometimes? HOT 1
- Comment flag should be in README
- KMS region incorrectly defaults to us-east-1 when using a profile HOT 1
- V 1.16.2 breaks on AWS Lambda HOT 1
- Ansible lookup plugin error HOT 3
- Cannot run credstash due to not having permissions on credstash.log
- Installation failure: Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-vV9SlE/credstash/
- Add option to override KMS endpoint URL
- fatal function may impede the downstream APIs functionality
- bash: credstash: command not found
- Support Oracle cloud Vault for master key
- Support for passing a grant token
- Project dependencies have API risk issues
- IMDSv2 Support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from credstash.