This won’t take long. I’m still in the mood to rave. I’ve fallen in love with my new secret keeper: Biscuit + KMS. Biscuit is a multi-region HA key-value store for your AWS infrastructure secrets.
So I’m really a big fan of Hashicorp and so are the rest of us at Full360. I’ve been using Packer and Vagrant for a couple years now, and I just became dangerous with Consul last fall. Now I figured it’s time to learn Terraform and especially Vault. Except I don’t have as much time as I used to. Still, I’m relatively paranoid about security and I don’t like hiding and unhiding volumes to grab pem files and whatnot. My parameterized setaws.sh of customers for which I have AWS access keys and secret keys, exported into environment variables is getting rather cumbersome. So yes I should use something like Vault. But. Vault is cool and complicated and I don’t want to use a little fleet of my machines to support it. I’m not going to be granting temporary access to IAM or other roles (but Biscuit does grants), this is just all about me maintaining some passwords and stuff for a dozen VPCs or so. I want to keep it simple.
So it turns out that Biscuit is just what I need, so far. It basically took me about 2 minutes to make my GOPATH actually make sense of that go stuff that I did and forgot about last year, then I followed the simple instructions on Biscuit’s Github. It took 2 minutes and 33 seconds to initialize the KMS stuff in three regions and then I was good to go. Easy as all get out to get up.
The coolest thing about Biscuit is that the local file that keeps all the secrets I want my containers and repo’d code to eventually get to is something I can repo without worries. I presume that I can set up a role for any machine that would run Biscuit and that the redundant KMS handles the rest. So far so good. Do check it out.