Using SOPS and git hooks to share secrets — Part 1

DevOps drives everything into code (including secrets)

DevOps is a doctrine, not a framework. If you ask 10 peoples what is DevOps, you will get 10 different answers. But among those answers, Automation and Infrastructure as code would somewhat be part of them. Thanks to the tools available, we can now hand off those infrastructure configs and manual deployment commands to the computer and share it with everyone. However, what should we do with our secrets, like access key and password? Should we share them with our team? Where should we put them?

Scenario: Sharing deployment config

Let’s say I am developing a serverless application using AWS SAM. I have created the following Makefile so that I can deploy the app with one simple makecommand.

deploy:
    sam build
    sam package --output-template packaged.yaml --s3-bucket $(BUCKET_NAME)
    sam deploy--template-file packaged.yaml --stack-name $(STACK_NAME) --capabilities CAPABILITY_IAM

I also created a .env file to store the S3 bucket name and CloudFormation Stack name

export BUCKET_NAME=my-dummy-bucket
export STACK_NAME=dummy-stack

In order to let my teammate (or tomorrow’s me) know which bucket and which CloudFormation stack I am using, I have to save .env somewhere. Although it is not top-secret, I don’t want people outside my team to know which S3 bucket I am…