I was recently working on an application migration project, and the question of where to stick environment specific values came up. These were values that included server names, API keys, database credentials, schema names, etc
This got me thinking, how do you determine where to stick these values? It's not always an easy answer when you consider facets such as:
- Is it a secret or sensitive?
- Does it need to be rotated on a schedule?
- Is it re-used across the same AWS account?
- Does it need to be accessible across AWS accounts?
So to help with the decision making, I’ve created everyone’s favourite; a FLOWCHART!!!
When would you use each location?
- The value is not shared; and
- It is not considered a secret nor sensitive; and
- Can be stored in plain text in your source code repository of choice; and
- It does not require regular automatic rotation
- The value is shared within an AWS Account; and
- It is not considered a secret nor sensitive; and
- It does not require regular automatic rotation
- The value is shared within an AWS Account; and
- It is considered a secret or sensitive; and
- It does not require regular automatic rotation
- When the value needs to be shared between AWS Accounts; and/or
- When it is considered a secret or sensitive; and
- When it does require regular automatic rotation
Hope this helps!