We have several services deployed for various business functions using containers in a service-oriented architecture. Currently we have them being managed in Portainer. They are developed mainly in Spring Boot but there are several in Python as well. We use GitHub and GitHub actions to deploy them. We are using Azure.
These services share many configurations. For example, many of them connect to the same database.
They may also have secrets like API Keys and certificates that need to be stored.
What are the best practices or standards regarding configuration and secrets management? Some options I considered were Azure App Configurations, Spring Cloud Config, and Azure Key Vault.
I was thinking that Spring Cloud Config with a git backend would work but I wouldn't want to keep secrets in a github repository.
Based on your use of Spring Boot, Python, and containers, and considering your deployment methods with GitHub Actions on Azure, here are some recommended best practices:
Centralize Secrets Management: Implement a centralized secrets management system to reduce errors and simplify security management. A single, well-secured location for secrets is preferable over multiple storage points. This approach is beneficial for debugging, auditing, and maintaining a consistent security posture across the organization.
Use Dedicated Secrets Management Tools: Leverage tools like Azure Key Vault, HashiCorp Vault, or CyberArk Conjur. These are designed to securely store and manage secrets (like API keys, passwords, certificates) and offer features like access control, audit logs, and automatic secrets rotation.
Regular Rotation and Encryption of Secrets: Ensure that secrets are encrypted in transit and at rest. Regularly rotate these secrets to reduce risks associated with static information. Automated rotation features in tools like Azure Key Vault can be very helpful here.
Implement Access Control and Monitoring: Apply strict access controls, such as role-based access control, and monitor access patterns to detect unauthorized access attempts. This approach is crucial in maintaining a secure environment for your secrets.
Avoid Storing Secrets in Code Repositories: You are correct. Never store secrets in code repositories, even private ones. Instead, use environment variables or secret management tools to inject secrets at runtime.
In MS Azure Key vault you can achieve all these under one roof
You can create keys certificates and secretes and even set expiry date of your secrets.
Periodically update the secrets with newer version or maintain a backup.
You can control access to the vault and secrets according to your requirements.
References:
OWASP Secrets Management Cheat Sheet
CyberArk Developer's Guide to Secrets Management
Microsoft's Best Practices for Secrets Management in Azure Key Vault
HashiCorp's Best Practices for Secrets Management