secrets-management
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecrets Management
密钥管理
Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools.
使用Vault、AWS Secrets Manager及其他工具为CI/CD流水线实现安全的密钥管理。
Secret Management Tools
密钥管理工具
| Tool | Best For |
|---|---|
| HashiCorp Vault | Centralized, dynamic secrets |
| AWS Secrets Manager | AWS-native, auto-rotation |
| Azure Key Vault | Azure-native, HSM-backed |
| Google Secret Manager | GCP-native, IAM integration |
| 工具 | 适用场景 |
|---|---|
| HashiCorp Vault | 集中式动态密钥管理 |
| AWS Secrets Manager | AWS原生支持,自动轮换 |
| Azure Key Vault | Azure原生支持,HSM加密备份 |
| Google Secret Manager | GCP原生支持,IAM集成 |
HashiCorp Vault
HashiCorp Vault
Setup
配置步骤
bash
vault secrets enable -path=secret kv-v2
vault kv put secret/database/config username=admin password=secretbash
vault secrets enable -path=secret kv-v2
vault kv put secret/database/config username=admin password=secretGitHub Actions Integration
与GitHub Actions集成
yaml
- name: Import Secrets from Vault
uses: hashicorp/vault-action@v2
with:
url: https://vault.example.com:8200
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/data/database username | DB_USERNAME ;
secret/data/database password | DB_PASSWORDyaml
- name: Import Secrets from Vault
uses: hashicorp/vault-action@v2
with:
url: https://vault.example.com:8200
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/data/database username | DB_USERNAME ;
secret/data/database password | DB_PASSWORDGitLab CI Integration
与GitLab CI集成
yaml
deploy:
script:
- export VAULT_ADDR=https://vault.example.com:8200
- DB_PASSWORD=$(vault kv get -field=password secret/database/config)yaml
deploy:
script:
- export VAULT_ADDR=https://vault.example.com:8200
- DB_PASSWORD=$(vault kv get -field=password secret/database/config)AWS Secrets Manager
AWS Secrets Manager
Store Secret
存储密钥
bash
aws secretsmanager create-secret \
--name production/database/password \
--secret-string "super-secret-password"bash
aws secretsmanager create-secret \
--name production/database/password \
--secret-string "super-secret-password"Retrieve in CI/CD
在CI/CD中检索密钥
yaml
- name: Get secret from AWS
run: |
SECRET=$(aws secretsmanager get-secret-value \
--secret-id production/database/password \
--query SecretString --output text)
echo "::add-mask::$SECRET"
echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENVyaml
- name: Get secret from AWS
run: |
SECRET=$(aws secretsmanager get-secret-value \
--secret-id production/database/password \
--query SecretString --output text)
echo "::add-mask::$SECRET"
echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENVTerraform Integration
与Terraform集成
hcl
data "aws_secretsmanager_secret_version" "db_password" {
secret_id = "production/database/password"
}
resource "aws_db_instance" "main" {
password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}hcl
data "aws_secretsmanager_secret_version" "db_password" {
secret_id = "production/database/password"
}
resource "aws_db_instance" "main" {
password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}External Secrets Operator (Kubernetes)
External Secrets Operator (Kubernetes)
yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com:8200"
path: "secret"
auth:
kubernetes:
mountPath: "kubernetes"
role: "production"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
data:
- secretKey: password
remoteRef:
key: database/config
property: passwordyaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com:8200"
path: "secret"
auth:
kubernetes:
mountPath: "kubernetes"
role: "production"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
data:
- secretKey: password
remoteRef:
key: database/config
property: passwordSecret Rotation
密钥轮换
python
def rotate_secret(secret_id):
# Generate new password
new_password = generate_strong_password()
# Update database password
update_database_password(new_password)
# Update secret store
client.put_secret_value(
SecretId=secret_id,
SecretString=json.dumps({'password': new_password})
)python
def rotate_secret(secret_id):
# Generate new password
new_password = generate_strong_password()
# Update database password
update_database_password(new_password)
# Update secret store
client.put_secret_value(
SecretId=secret_id,
SecretString=json.dumps({'password': new_password})
)Secret Scanning (Pre-commit)
密钥扫描(提交前检查)
bash
#!/bin/bashbash
#!/bin/bash.git/hooks/pre-commit
.git/hooks/pre-commit
docker run --rm -v "$(pwd):/repo"
trufflesecurity/trufflehog:latest
filesystem --directory=/repo
trufflesecurity/trufflehog:latest
filesystem --directory=/repo
if [ $? -ne 0 ]; then
echo "Secret detected! Commit blocked."
exit 1
fi
undefineddocker run --rm -v "$(pwd):/repo"
trufflesecurity/trufflehog:latest
filesystem --directory=/repo
trufflesecurity/trufflehog:latest
filesystem --directory=/repo
if [ $? -ne 0 ]; then
echo "Secret detected! Commit blocked."
exit 1
fi
undefinedBest Practices
最佳实践
- Never commit secrets to Git
- Use different secrets per environment
- Rotate secrets regularly
- Implement least-privilege access
- Enable audit logging
- Use secret scanning (GitGuardian, TruffleHog)
- Mask secrets in logs
- Use short-lived tokens when possible
- 切勿将密钥提交至Git
- 不同环境使用不同密钥
- 定期轮换密钥
- 实现最小权限访问
- 启用审计日志
- 使用密钥扫描工具(GitGuardian、TruffleHog)
- 在日志中屏蔽密钥
- 尽可能使用短期令牌