Explore using onetimesecret.com (or a self-hosted version) to pass secrets to user-data

tom commented

2026-01-03 19:48:28 +00:00

Owner

Doing this would allow passing a token that explodes on use - so it would only be available during provisioning.

tc424 commented

2026-01-03 20:49:53 +00:00

Owner

Interesting idea - but that does then make re-provisioning something you can't do in a hurry, because the secrets-would have to be preloaded .. presumably by hand?

tc424 commented

2026-01-03 20:53:46 +00:00

Owner

I suppose one could store a batch of a longer-lived credentials encrypted with one single-use key, to be retrieved this way? Maybe combine with https://github.com/getsops/sops ?

tom commented

2026-01-03 21:45:36 +00:00

Author

Owner

I've not used sops, though it's got a huge readme. This may be good or bad :)

Thinking about it more, perhaps the best way is some kind of bootstrap cred that gives access to whatever. The cred itself could be longer-lived too - it would just be access that's one time. Once the box has built it should in theory already be trusted to get secrets via some other mechanism?

I've not used sops, though it's got a huge readme. This may be good or bad :) Thinking about it more, perhaps the best way is some kind of bootstrap cred that gives access to whatever. The cred _itself_ could be longer-lived too - it would just be access that's one time. Once the box has _built_ it should in theory already be trusted to get secrets via some other mechanism?

tom referenced this issue

2026-01-07 09:55:25 +00:00

Set up Vault (or something like it) #15

Rows
Columns

Explore using onetimesecret.com (or a self-hosted version) to pass secrets to user-data #11