| 28 Apr 2025 |
 dbalan | Secrets are in vault or aws depending on the layer and they get populated on first boot in the config | 15:04:57 |
 adamcstephens | I wrote a simple module that will pull a secret down with the CLI given an ARN and some permissions. Creates a basic dir in /run to avoid storing them on disk | 22:51:20 |
| adamcstephens | API is roughly what you get from agenix | 22:51:47 |
| adamcstephens | We do pull one secret during cloud-init, but otherwise try and keep it as simple as possible. Cloud init's main job is to discover the proper system store path, pull it, and switch to it, and a couple other imperative things about the system for PS1 and an env file. Our apps also now read their secrets directly on startup, so most secrets never get written outside memory. | 22:53:48 |
 Ilan Joselevich (Kranzes) | In reply to @adam:robins.wtf
I wrote a simple module that will pull a secret down with the CLI given an ARN and some permissions. Creates a basic dir in /run to avoid storing them on disk Do you have this in a public repo somewhere? | 23:04:17 |
