What is a secret?
In software engineering, what are we referring to when we say secret?
A secret, at its essence, is a piece of sensitive information that you want to keep, well, secret.
Secrets come in many forms, and you’ve likely encountered more than one, such as a password, environment ID, API key, encryption key, authorization token, or something similar.
Keeping track of all of these keys, ID’s, tokens, etc. between developers and across multiple environments can become difficult to organize and maintain when there is no secrets infrastructure in place.
Which brings us to secrets management.
The importance of secrets management
Secrets management is the process and practice of consolidating sensitive information, and ensuring your secrets are secure, confidential, and manageable.
By implementing a proper secrets management infrastructure, you can fortify your team’s security posture, decrease DevOps friction, and improve developer efficiency.
With the right tools, secrets management can help you and your team:
Prevent secret sprawl and security islands
Keep sensitive information confidential
Prevent leaking secrets through code or breaches
Reduce breach risk with automatic credential rotation
Automate secret rotation and revocation
There are a myriad of secret management tools to pick from.
I’m going to talk about one in particular, Infisical.
Infisical
Infisical is an open-source secret management platform that is powerful, and easy to use.
All-in-one platform to securely manage application configuration and secrets across your team and infrastructure.
Getting started
To begin, let’s setup an Infisical account.
Once you’ve done that we can get up and running easily with the Infisical CLI.
I’m on MacOS so I installed the CLI with Homebrew:
brew install infisical/get-cli/infisical
If you’re on a different OS you can find installation instructions here.
Next, login to your Infisical account with the CLI:
infisical login
Then, connect your local project to an Infisical project:
infisical init
Now that Infisical is configured, we can harness the ease of cloud-based secrets management right away with the infisical run command.
The command structure is:
infisical run [options] -- [your application start command]
Let’s use the — env flag to specify from which environment we want to inject secrets.
I spun up a quick Next.js project with Bun so my command and output is the following:
And just like that, Infisical injected five secrets from my Infisical cloud development environment into my application process.
By default, the run command uses the dev environment but I like to be verbose.
You can inject secrets from other Infisical cloud project environments using the following environment slugs:
dev
staging
test
prod
These secrets will stay in sync across your team, as people add, edit, and remove them from any of your project’s environments. A single source of truth.
Wrapping up
That should be enough to get you started, but, Infisical has much more to offer if you’d like to further explore what’s possible.
You can sync secrets with your CI/CD pipelines, automatically detect secret leaks in your codebase with secret scanning, assign user roles to further specify secret access, create approval policies for secret modifications, or setup automatic credential rotation.
Check out their documentation if you’re interested.