Cloud Posse
Guidance on Secret Management #83
-
|
Hi, I am trying to use a secret in terraform stack yaml, but not able to determine what's the best way to handle it. Here is what I have been trying:
Not sure what I am missing but couldn't find much in the docs. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
|
We recommend 1. Storing secrets for Terraform in AWS SSM Parameter Store as SecureString (with KMS) is secure, auditable, and works well across accounts if you need to share secrets.
Plus, we have a bit more on the decision designs for storing and placing secrets for Terraform here: |
Beta Was this translation helpful? Give feedback.
-
|
More on this topic here as well: https://github.com/orgs/cloudposse/discussions/73 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the response. |
Beta Was this translation helpful? Give feedback.
-
|
We typically access SSM within Terraform and define where to find the parameter (path and account) with variables. Therefore you can set a common path and account (or For example, here's a component for a grafana dashboard where pull the API key from SSM: |
Beta Was this translation helpful? Give feedback.
-
|
Here's another more advanced usage with a provider pulling the secret from another account: |
Beta Was this translation helpful? Give feedback.
-
|
this makes sense, thank you! |
Beta Was this translation helpful? Give feedback.
We recommend 1. Storing secrets for Terraform in AWS SSM Parameter Store as SecureString (with KMS) is secure, auditable, and works well across accounts if you need to share secrets.
!storeon the other hand isn't intended for sensitive values. Values would be exposed to logs and could be compromised as a result.Plus, we have a bit more on the decision designs for storing and placing secrets for Terraform here: