Tony “Abolish ICE” Arcieri  🦀

Master secrets in a tmpfs mount seems...non-ideal

Basically, I've seen enough Rails path traversal bugs to want to shy away from having any secrets accessible via a filesystem

Or, depending on circumstances, an appropriate OS keychain. However all of my endeavors doing this in Linux have ended in folly... nice on macOS w\ Keychain Services thoughhttps://twitter.com/esesci/status/1166567971147452419 …

Is the idea here that it would be less likely for a secret obtained by the application in this way to show up in logs/etc? If the host is compromised, you at least have an audit trail in KMS, but it won't save your bacon from compromise

How would a restricted metadata service work in a container scenario as you only have one IAM role per EC2 instance?

A metadata service proxy. There are a million of 'em. Most of them are confused deputies. That's ok, so is the metadata service.

Also the master secret should ideally be one-time use. Startup, exchange one-time bootstrap token for real credentials. (Eg can do this with Hashicorp Vault or with OAuth auth codes).