Ask HN: Prevent Secrets from Committing to Repos

3 points by abhijais1 16 hours ago

Hey I have been working on a solution to prevent secrets from committing to VCS repos, so far have prevented 10+ AWS keys from accidentally being committed. Github has an offering but it's very costly for our team. Does anyone of you want to try out ?

scarface_74 7 hours ago

Why are AWS keys anywhere near your code in the first place?

For instance in Python, you initialize an object using

    boto3.client(“s3”)
When you use IAM identity center, you get temporary access keys which you assign to environment variables and the keys are automatically picked up.

Even if you use “aws configure” and have long lasting keys (don’t do that), your keys will be stored in your home directory, nowhere near your repository and still usable locally.

When running your code on AWS, whatever you are using to run it on will get permission from the IAM role attached to the Lambda, EC2, etc.

  • muzani 2 hours ago

    It tends to happen more on front end I think, especially since it's in the tutorial and many haven't been given the training on what to do better. Not really AWS, but even the trained ones will put it in a .local.properties file or something and then forget to add it to gitignore

    • SlightlyLeftPad 43 minutes ago

      You really just need to not forget to do that. Isn’t it that simple?

      A less snarky answer, and why AWS is largely a non issue these days is because the secrets were designed out of code And are effectively provided as an integral part of the infrastructure which includes regular and reliable expiration and rotation. So any chance you get, design secrets in this way.

      The only thing ever in code are references to the correct roles or secrets. Only ever references to the location of the secret. Get in the habit of this and the problem is drastically reduced and becomes something you don’t have to think about.