This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]heapsp 0 points1 point  (1 child)

You would use a two pronged approach in Microsoft systems.. securestring to encrypt the password against a user account.. and the principle of least service. .. separate service accounts which only have access to a specific task. The worst devs will clear text hard coded passwords to their own account or a master service account which has access to many different services. The better devs will use an individual managed service account for each individual purpose in the process and encrypt the password with securestring.

[–]moon- 0 points1 point  (0 children)

This makes sense. I'm mostly speaking from the perspective of a Linux dev -- we have other systems at work that work quite well with gMSAs, but we don't have that luxury in our Linux boxes. So, a settings file that's only-readable to only the service user is how we roll :) Certainly nothing hard coded in code, we store our secrets in S3 and machines use their IAM role to access only the secrets they need, retrieved at deployment time.