I don't believe there're enough great materials or answer on this topic so I'd like a clear answer.
What is the gold standard for hosting microservices with at least a mediocre degree of security when creating a Docker application that requires a cloud "service account credential" to perform most functions properly? (e.g. Gcloud SDK & service_account.json)
The common answer being
- mount a local volume
Does not work well in the context of Git Ops since it will require the secret to be exposed during runs because a file will be created.
OpenSSL encryption & Decryption do not like the amount of manual & lack of cloud management of the key, such as KMS.
KMS
Couldn't encrypt service account key with KMS because I wouldn't be able to authenticate the service to retrieve the credentials in the first place.