Date: 2021-06-18
✅ Accepted
The Modernisation Platform team and its users need a way to store secrets securely. There are several different methods currently used across the MoJ, including Secrets Manager, Parameter Store, LastPass and Git-Crypt.
There are also other well known industry solutions such as HashiCorp Vault. We want to have a consistent solution across the Modernisation Platform.
We've decided to use Secrets Manager for our secrets storage.
Parameter store can be used to store non secret parameters if needed for environment specific configuration, but the first choice should be using an application_variables.json such as this
- any secrets will be stored in Secrets Manager
- there will be no sharing of secrets across accounts
- secret rotation via Secrets Manager should be used where possible
- SSO permission sets will be updated to allow users to manage their secrets
- compatible with AWS services
- automated secret rotation possible
- users manage their own secrets
- Secrets Manager is more expensive than Parameter Store