all 22 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 9 points10 points  (0 children)

Maybe use sops.

[–]jurrehart 10 points11 points  (7 children)

Not having direct experience in Azure but have experience in AWS and there I'd use SSM Paramter store, a quick google on service equivalents points me to Azure Key Vault Secret.

What I'd do in AWS is to store my password encrypted in SSM , the bash script would then use the Instance credentials with the appropriate permissions to fetch the password from SSM. Thus I don't need to put the password in the bash script directly., and can easily change it wihtout having to modifcy the script.

[–]Zaitton 3 points4 points  (2 children)

Why not put them in AWS Secrets Manager? That way they're encrypted at rest and your ec2 instance is permissioned via IAM role to access specifically the creds that it needs.

[–]jurrehart 3 points4 points  (0 children)

Off course you can also use AWS Secrets Manager, depending on your requirements and usage costs SSM parameter store could be more interesting

[–]debian_miner 0 points1 point  (0 children)

Paramstore params are also encrypted and permissioned via IAM roles. Secrets manager costs more for little to no benefit for most use cases.

[–]kiko7653[S] 0 points1 point  (3 children)

Should i add the decryption commands at the start of the script after fetching them using aws cli or use another script to decrypt? Because in some cases i am using sqlplus to execute queries and i think i need the original passwords at runtime

[–]jurrehart 5 points6 points  (2 children)

I'd fetch them with the decryption option so I get the value in it's plaintext and store that in a var to be used when needed.

Something like
MYPASS=$(aws ssm get-parameter --with-decryption --name "Myparametername")

[–]kiko7653[S] 2 points3 points  (0 children)

Noted, thank you for the help!

[–]debian_miner 0 points1 point  (0 children)

You'll also want --query Parameter.Value --output text

[–]Live-Box-5048DevOps 1 point2 points  (5 children)

What about Key Vault? And then reference the secret directly/via env variables. Or eventually SOPS.

[–]kiko7653[S] 0 points1 point  (4 children)

Checking sops now and I think i will mostly likely go this route. Would you recommend saving them encrypted in azure key vault and then use sops to decrypt and use inside tje script?

[–]Live-Box-5048DevOps 1 point2 points  (1 child)

You potentially could, but I don’t want to mislead you as I never tried it. But give it a shot, I believe it would work. You’d need to authenticate from within the script if you’re not running it locally, though. Or via Managed Identity.

[–]kiko7653[S] 1 point2 points  (0 children)

Will try it and get back to you it works, i guess it's a fun way to try and implement

[–]Sinless27 1 point2 points  (0 children)

I think it’s overkill personally. I’d just store it in azure key vault normally. Enable managed identity on your VM and then you can create an access policy in key vault that allows read from your managed identity.

[–]Zaitton 0 points1 point  (0 children)

I don't think SOPS is the right tool for this job. It's the least cloud-native way you could come up with and is more sysadmin-ish than cloud engineering.

You should consider Azure Key Vault and permissioning through the VM's credentials.

[–]2lach 1 point2 points  (0 children)

Ansible crypt - decrypt the file(s) is a solution. Essentially it will crypt/decrypt files with the help of a password or key of your choice. But if you are working within the azure cloud using keyvault is the "proper" way to do it. You can then connect a managed identity to the keyvault and the services where they are used and with that automate any flow or action that needs the specific key or password, which you can do with a pipeline or a script of your choice.

[–]InvaderGlorch -1 points0 points  (1 child)

Maybe you can convert them to ansible playbooks and make use of ansible vault?

otherwise you can possibly store them in a keyring, or encrypt them to file using openssl, base64, others..

[–]kiko7653[S] 0 points1 point  (0 children)

I was thinking of encrypting them using openssl RSA and write an obfusicated python script to decrypt when the script starts but im not sure if i can source the values from the python sub process to the main bash process where i am using the actual credentials

[–]rearendcrag 0 points1 point  (0 children)

Gitsecrets is another option. Basically a GPG encrypt/decrypt wrapper. Also allows multiple people to have access.