Bad vs Good: Secrets in Code

Example

Bad vs. Good

The difference between hardcoding a secret and retrieving it from a vault at runtime.

Hardcoded secret - don't do this

# Bad: secret lives in source code forever
import boto3

client = boto3.client('s3',
    aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
    aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
)

Retrieved from a vault at runtime

# Good: secret is fetched at runtime, never in code
import boto3
import hvac

vault = hvac.Client(url='https://vault.internal:8200')
creds = vault.secrets.aws.generate_credentials(name='s3-readonly')

client = boto3.client('s3',
    aws_access_key_id=creds['access_key'],
    aws_secret_access_key=creds['secret_key']
)
# Credentials are dynamic and expire automatically