top | item 46718021

(no title)

I feel I see these solutions somewhat often, but you can execute a command and use that as a value. To me, I'm not sure why people aren't calling their secret store as part of it. I use direnv mostly, but seems `.env` supports the same thing. e.g:

MY_SECRET=$(pass show path/to/my/secret)

Of course substitute that for Vault/SSM/whatever. There are other solutions to this problem too, but I show this to people as there's so little friction to using it.

As for the solution itself, we shouldn't really be storing secrets as plain text wherever we can help it. Masking them feels like a kludge.

discuss

No comments yet.