top | item 40942598

(no title)

gurchik | 1 year ago

I think the audience for this is someone who is already using AWS Secrets Manager, but wants to reduce their API usage (perhaps due to cost).

Chamber uses SSM Parameter Store, which for many cases is similar, but some people might have a preference for Secrets Manager. For example, a team might like the automatic RDS password rotation for Secrets Manager and decide to put everything there for consistency.

For Doppler, well maybe someone doesn't want to pay for it, or they'd rather control access to their secrets via IAM instead of through a separate tool.

discuss

SamuelAdams|1 year ago

Yes, we use something similar for debugging lambdas locally. We use Dotnet, and this library:

https://github.com/Kralizek/AWSSecretsManagerConfigurationEx...

Normally Boto uses the current account context to get secrets, but if we run a lambda as a local build, it uses this library to pull secrets from the actual dev AWS account.

This makes it easier to onboard new developers, reduces problems of figuring out what secrets to get for each lambda, etc.

Also if secrets are rotated in dev, local stacks get them automatically.

I am curious to see if this tool is remarkably different.

banku_brougham|1 year ago

Its no joke that AWS Secrets Manager calls add up. At my medium-size US web company, for our data lake account last month, KMS is the second highest line item after s3 service cost. S3 at 94% of total, KMS at 4% of total with Tax and Kinesis the remaining sizable components.

drodgers|1 year ago

Chamber can also use S3 + KMS as a backend, which reduces the API costs to ~0 and massively improves the scalability (since SSM has annoyingly low rate limits, or at least it did a few years ago when we last tried it).