I have a question regarding secrets management on fly. I’ve read the docs and search the forum and it looks like
flyctl does not allow reading secret values partially by design and partially to improve the security.
I have two questions there:
I’m not really sure I understand the security argument of it. For example, it’s still possible to print the secrets by running
flyctl ssh console -C 'env'. The only problem there is that fly vars like
FLY_APP_NAMEare mixed with the secrets explicitly set by users. That’s not a problem at all in case someone wants to steal the secrets, other wise it’s really simple to join this with the output of
flyctl secret listto get the vars. On the other hand the fact that secrets are not easy to read forces developers to create local
.envfiles with the same secrets which represents a security issue on it’s own joined by the fact that sometimes it’s really handy to be able to read the secrets anyway e.g. in case of troubleshooting. From my understanding there might be some part missing in the solution that would make the secrets management easier like aws secrets manager or similar. What’s the fly stance on this?
The second question is related. It’s often really useful to write one-off scripts to perform certain tasks - update the data, send a one-off email etc. There is little point in deploying them on fly since they’re not used by the running app. If using the secrets from fly locally is discouraged, what would be your recommendation on how to perform these tasks?
Thanks in advance for the answers!