2

Currently I'm diving into secret management in the development process. My idea is to use a secret management tool like Vault by HashiCorp to store all my secrets.

Here is my use case: client created Vimeo API key, which will be stored in Vault. I work in a small team and I would like to share this secret with my colleague. During development, they needs to use this key so they set this key as an environment variable. Later they will be fired (for example).

The problem is that I can revoke access to this key in Vault, but they still have the value of Vimeo token because they used it during development.

How do you handle this?

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
noone
  • 271
  • 4
  • 6
  • Create a proxy and have a `generateKey()` API. The proxy has it's own Token Generation mechanism and returns a new token valid for `x` minutes. In your application on dev mode your application will always point to that proxy instead of vimeo directly..So the proxy will be the only one with the original key? . Devs need to generate a key like once per day/week ? . – Silvan Bregy Oct 18 '21 at 14:54

0 Answers0