felia/apps/secret-manager/README.md

# c4c-secrets

A dive into secret management for c4c web-app

# HashiCorp vault

- `docker-compose.yml` -> `docker-compose.hashicorp.yml`
  - Uses in-file store (maybe slow/unreliable!)
  - Can be migrated to AWS in the future

- Pretty good cli experience

- You could try my (@Pegasust) deployment at [pegasust.com/vault](https://pegasust.com/vault)
  - Log in with your GitHub account 
(this is done with personal access token [docs](https://www.vaultproject.io/docs/auth/github))
  - Make sure that you're in our change-for-change organization
  - And also is in web-dev GitHub team

## Installing the CLI

See here [hashicorp's official installtion guide](https://developer.hashicorp.com/vault/downloads)

- You could also access the secrets with the web UI. But to streamline the env
exchange process, we should use the CLI

## Login as user (CLI)

`export VAULT_ADDR='https://c4c.pegasust.com'`
`vault login -method=github`

## Vault onto `.env*`

```bash
vault kv get --format=json path/to/secret | jq -r '.data|to_entries|map("\(.key)=\(.value|tostring)")|.[]'
# Likely
vault kv get --format=json secret/c4c-web-app | jq -r '.data|to_entries|map("\(.key)=\(.value|tostring)")|.[]'
```

## Simple put-get-list

```bash
# put
vault kv put path/to/secret hello="world"
# get
vault kv get path/to/secret hello
# list
vault kv get path/to/secret
```

## `.env.*` onto Vault

- NOTE: This does not support syntax like `HELLO='WORLD'`. Everything must be
in the form of: `HELLO=WORLD`

```bash
vault kv put path/to/secret `cat .env`
# Likely
vault kv put secret/c4c-web-app `grep -v ^# .env`
```

## About the `cubbyhole` secret engine

- It is per-token (that means per-auth) secret storage
  - Can be used as secret manager
  - Don't count on my deployment to be 100\% reliable!
migrate to monorepo 2022-11-15 17:03:19 +00:00			`# c4c-secrets`

			`A dive into secret management for c4c web-app`

			`# HashiCorp vault`

			- `docker-compose.yml` -> `docker-compose.hashicorp.yml`
			`- Uses in-file store (maybe slow/unreliable!)`
			`- Can be migrated to AWS in the future`

			`- Pretty good cli experience`

			`- You could try my (@Pegasust) deployment at [pegasust.com/vault](https://pegasust.com/vault)`
			`- Log in with your GitHub account`
			`(this is done with personal access token [docs](https://www.vaultproject.io/docs/auth/github))`
			`- Make sure that you're in our change-for-change organization`
			`- And also is in web-dev GitHub team`

			`## Installing the CLI`

			`See here [hashicorp's official installtion guide](https://developer.hashicorp.com/vault/downloads)`

			`- You could also access the secrets with the web UI. But to streamline the env`
			`exchange process, we should use the CLI`

			`## Login as user (CLI)`

			`export VAULT_ADDR='https://c4c.pegasust.com'`
			`vault login -method=github`

			## Vault onto `.env*`

			```bash
			`vault kv get --format=json path/to/secret \| jq -r '.data\|to_entries\|map("\(.key)=\(.value\|tostring)")\|.[]'`
			`# Likely`
			`vault kv get --format=json secret/c4c-web-app \| jq -r '.data\|to_entries\|map("\(.key)=\(.value\|tostring)")\|.[]'`
			```

			`## Simple put-get-list`

			```bash
			`# put`
			`vault kv put path/to/secret hello="world"`
			`# get`
			`vault kv get path/to/secret hello`
			`# list`
			`vault kv get path/to/secret`
			```

			## `.env.*` onto Vault

			- NOTE: This does not support syntax like `HELLO='WORLD'`. Everything must be
			in the form of: `HELLO=WORLD`

			```bash
			vault kv put path/to/secret `cat .env`
			`# Likely`
			vault kv put secret/c4c-web-app `grep -v ^# .env`
			```

			## About the `cubbyhole` secret engine

			`- It is per-token (that means per-auth) secret storage`
			`- Can be used as secret manager`
			`- Don't count on my deployment to be 100\% reliable!`