Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Sokolov2016-02-12 18:52:45
git
Sergey Sokolov, 2016-02-12 18:52:45

Where and how best to store confidential data for project deployment?

The project code is stored in a private git repo. Keys and passwords from third-party services with which the project interacts (AWS, Robokassa, Paypal, Stripe) are outside the repo - so far on my local laptop in 1Password, for example. In the project, all private data ends up in environment variables, and scripts take it from there. For Laravel, this is either through creating .env.php at the root of the project, or through the web server configs or settings when starting the docker container.
During deployment, SSH keys and keys from DigitalOcean are also required.
Tasks now:

  1. With zero manual intervention deploy new servers with the project
  2. Attract third-party developers to whom production keys should not be shown. There is a separate set of keys for development/testing.
Question: how and where is it better to store and update the keys, and how to pull them out when deploying the project, without giving third-party developers access to them? Ie, apparently, there should be one authorization point - for example, when running a script that opens access to a certain repository with keys and deploys a new server with a project. You want to keep the keys themselves separately from the deployment scripts.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
S
skrimafonolog, 2019-09-29
@sergiks

Hashicorp Vault
or Ansible Vault
Despite the coincidence of names, these are fundamentally different things.

Report
R
redakoc, 2016-02-13
@redakoc

Divide / separate / clearly limit powers.
A small service that manages the key, for example, and the rest do not have access to keys, but only access this service. And he only allows them to do what they can.
Or see an example of how CloudFlare KeyLess works.

Report
S
sim3x, 2016-02-12
@sim3x

environment variables

$ cat .env
varname1=123
varname2=234

#!/bin/bash

echo Vars import to env
export $(cat .env | xargs)

www.stackoverflow.com/a/20909045

Similar questions
A
Artur Karapetyan2020-12-22 13:11:08
Correct permission of conficts during PR merge? 1Reply
W
WebDeveloper20162016-11-13 14:00:30
Why is smartgit hanging? 1Reply
I
Igor Uvarov2014-11-17 20:24:12
How to cut commits from one branch to another? 2Reply
A
Anastasia Dementieva2016-11-15 20:18:46
How to make a new one from an existing repository? 1Reply
B
be9st2020-12-26 23:06:44
Why is the code strangely formatted when pushing to github? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question