TL;DR An issue I've rarely seen addressed is storing of secrets/credentials across devices/teams.
Context:
There are countless questions and solutions storing credentials, API keys, secrets, etc for devices or backend servers using secure storage mechanisms or as environment variables.
Below are a few solutions specifically designed for deployed systems/apps, store on a device or credentials for a server.
- Process env.
- Device Secure Storage
- Hashicorp (paid solution)
- AWS Secret manager for AWS projects
- Firebase Secret manager, pay per read
All of these are specific towards an active implementation or to a deployed device/server but non provide access to developer(s) e.g. running local emulator with e.g. Stripe webhook integration.
2 scenarios to illustrate my point and emphasize the problem:
- Scenario 1:
An on-the-move freelance developer working on a backend / mobile app project. Primary workstation is a Windows PC, but frequently uses Macbook for travel and work.
Here, an issue with credentials would be: do one store this in VCS, e.g. Github? Surely, that would be easiest but it is not recommended to do this for several security reasons. Alternative is to copy, electronically or physically to 'new' device.
- Scenario 2
A team of 3 are working on a project. Each works on their own use-cases. 2 require credentials for an online service. Credentials are shared physically or electronically. During development, credentials are changed (for whatever reason) and needs to be distributed to team members to finish.
Same issue, does one commit these credentials to VCS or share them electronically/physically.
Question
What are common/best practises sharing api keys/credentials/auth tokens across teams/devices?
The only possible solution I found addressing these needs is using git-secret