Deploying environment secrets to services
Analeea last edited by
I know I can use CD pipelines to deploy an app to a given environment (dev/stage/prod)
Given that each environment should have its own environment variables/secrets for each app, how can I streamline the process of securely setting those variables/secrets in each environment without having to ssh into the environment server and create a .env file for the specific app/environment that's being deployed?
I've heard of KeyVaults but I'm not sure if that's overkill for a single set of environments.
You can achieve this in multiple ways.
You can set your credentials as secrets if you use a CI/CD system such as Jenkins or Gitlab pipelines. Then reference them within your pipeline script as variables and inject the credentials into your application during the build. This will not expose the credentials in the CI/CD system logs. Please refer to the following articles for more information:
Depending on your application security requirements, you can set up an identity-based secret and encryption management system such as
Hashicorp Vault.Vault provides encryption services that are gated by authentication and authorization methods. You can create a role for your CI/CD system within the Vault and get the secrets during the build to auto-generate a
.envfile. Learning the vault concepts may take a decent amount of time.