LogoTRUONG PHAM
Home
Projects
Blogs
YouTube
Contact

Newsletter

Stay updated with technical artifacts and engineering insights.

LogoTRUONG PHAM

Building scalable software and sharing insights on technology & life.

Sitemap

  • Home
  • Projects
  • Blogs
  • YouTube
  • Contact

Connect

  • GitHub
  • LinkedIn
  • Email
  • YouTube

© 2024 TRUONG PHAM. © All rights reserved.

Privacy PolicyTerms of Service
Back
Secret Management - Don't Let API Keys Wander Around
Microservice Journey: Lessons & Trade-offs

Secret Management - Don't Let API Keys Wander Around

As the number of services increases, managing passwords and API keys becomes a massive security risk. How we keep secrets safe.

TP
Truong PhamSoftware Engineer
PublishedApril 3, 2024
Stack
microservice ·security ·devops ·secrets

One of the fastest ways to ruin a developer's career is to accidentally push a .env file containing a Database Password to public GitHub. In Microservices, this risk is multiplied by 10.

The Problem: 10 services, 100 secrets

Initially, we kept sensitive information (Database URL, OpenAI API Key, JWT Secret...) in CI/CD environment variables or local .env files.

But as the system grew:

  • Who is authorized to see the Production database password?
  • How do you rotate a secret without redeploying all 10 services?
  • How do we ensure new devs don't accidentally read important keys from the real system?

1. The Golden Rule: Never Commit Secrets

Even in human private repos, committing secrets into code is a sin. Code can leak, and git history will preserve that secret forever.

2. The Solution: Centralized Secret Manager

We switched to a centralized secret management service. For small teams, there are 2 good choices:

  • Cloud Native: AWS Secrets Manager or Google Secret Manager. Very easy to use if you are already on their Cloud.
  • HashiCorp Vault: Extremely powerful but a bit difficult to operate for small teams.

How it works: When a service starts, instead of reading from a .env file, it calls an API to the Secret Manager to retrieve information. Or better, we use a "Sidecar service" to inject these secrets into the application's memory.

3. Secret Rotation Strategy

What happens if an API Key is exposed? Normally, you'd have to change the key at the provider, then fix it in 10 services. With a Secret Manager, you only change it in one place. Services will automatically receive the new key on the next restart (or even in real-time if coded carefully).

Lessons Learned for Small Teams

  1. Clear Permissions (RBAC): Only necessary services should have the right to access their corresponding secrets. The Payment Service doesn't need to know the Shipping Service's secrets.
  2. Client-side Encryption (if needed): For extremely sensitive information, we encrypt it with another layer before pushing it to the Secret Manager.
  3. Local Development: Use tools like infisical or simply a .env.example file so devs can fill in their own private keys when working locally.

Conclusion

Security is not a "feature"; it is the foundation. Good secret management helps your team expand the system more confidently and sleep better knowing that the company's most important information is properly protected.

Series • Part 17 of 20

Microservice Journey: Lessons & Trade-offs

NextMacroservice - When We Decide to 'Merge' Services Back
Feature Flags - Deploy and Release are No Longer One
12The Pain Named Cloud Bill - Cost Optimization for 'Broke Teams'13When the System Goes Silent - Lessons on Post-mortem and Blame-free Culture14Contract Testing - When Integration Testing Becomes a Burden15AI-Service Integration - Bringing LLM/RAG into Microservice Architecture16Feature Flags - Deploy and Release are No Longer One17Secret Management - Don't Let API Keys Wander AroundReading18Macroservice - When We Decide to 'Merge' Services Back19The Maintenance Nightmare - When Microservice Systems Age20Microservice Journey Summary - Do You Really Need It?
TP

Written by Truong Pham

Software Engineer passionate about building high-performance systems and meaningful experiences.

Read more articles