This morning I just discovered all our repos are visible to everyone in the company... Not just the team that created them...

We store passwords and certs in our repos....

Bruh - step AWAY from that Kryptonite! Passwords & certs in source control is n00b level stupidity. Whomever has been OKing that practice needs to get a serous chewing out.

Why would anybody ever store keys in repos, it's a disaster waiting to happen.

You can store passwords in a repo, but only when you encript them. Use a password manager.

@xMadxHatterx yes we sorta know but thought the repo was private... But apparently not.

So what's the alternative? Everyone on the team needs to have access to the passwords to dev on their local pcs

@donuts use a password manager.
Something like Dashlane will let you share passwords within a team.
Or for stuff like secrets, keys, etc. use AWS KMS or parameter store.
Even better if you can create a user during test runs then dispose.

One alternative is to wire up the app with AWS Secret Manager so it can fetch its own passwords.

@devphobe but what is aws is down?

@donuts if your app has the secrets in memory, and AWS is down, it should still run.... as long as you don’t redeploy. There are other options . Encrypt your passwords in the repo, devs would share a single key. Push secrets out using Ansible-Vault. Use Hashicorp Vault. Where I work, we accept that if AWS is down, so are we.

@devphobe regarding encrypt, how would you decrypt? You'd store the key manually on the machines that run the app?

@donuts yes. Push the key out to all the boxes with Ansible? That’s what we did for a while. Only a handful of engineers had the key. Not the best way, but better than plain text passwords.

@donuts you can encrypt them in an on-prem database to make your own makeshift keystore, or use something like CyberArk or another vault implementation with OTP integration. This is 10 times better than committing secrets to a git repo.

Secrets in a repo... gosh, whoever did that - and everyone who does - should be fired and banned from working in tech, effective immediately and indefinitely.

@100110111 its been like that... Because everyone thought they were "wearing clothes" and too lazy to fix it.

I stopped trying years ago. Convincing a whole team to do something and change their ways is too hard when ur not the boss

@donuts I could not work with people as hard-headed as that. Would’ve relocated aeons ago. Maybe you should, too?

@100110111 well I'm stuck at the company for other reasons. the pay ain't bad but lots of "yes we know but we don't have time"...

Tried an internal move last year but fell thru.

But at least I can go with "not my problem"

Wouldn't say hard headed but just aren't very techy. Recently working with ppl from other teams and well the diff in experience is like "wow they're are ppl and teams here that actually know and work with all this fancy cloud container stuff for the last few years?"

@100110111 I’m in the same boat. Hard coded secrets from engineers long since gone at the company. Too many to count we try to refactor them as we go.

@devphobe we go by don't fix what's not broken. Broken being app crashing, critical

Creds? In a repo?
What kind of moron is making the decisions at your company?

@Root not me

@Root btw wondering how do you give an app write access to db without the devs knowing what credentials are?

Don't use closed source password managers, don't use Dashline. Use a good open source password manager. You can store passwords in a password manager database which is encryptet with a good password. Share the password with the other devs on a secure channel. The db can be shared with git, when you use an encrypted password db or use a cloud password manager that is hosted on your own server, like bitwarden, but don't use the browser page to access it.

@donuts using and storing credentials are very different.

You can store them in environment vars (best practice), or in local files that are only added during deploy. (Don’t do this with php). There are also AWS-specific approaches that work well.

The first part of this is fine. We have that here, open access to source code is never really a bad thing.

Creds in a repo however? Come on...

@donuts Old Polish saying, "nie mój cyrk, nie moje małpy" - Literally "not my circus, not my monkeys"