Overcoming the Bootstrap Problem in Secrets Management with Keyless Authentication

gcp header

We all know that secrets management shouldn’t be overlooked as it’s a fundamental part of security and shouldn’t be treated as an afterthought.

If you’re on a mission to find the best secrets management solution, great! You’re one step closer to improving your security maturity level. And if you’ve already implemented a secrets management solution in your infrastructure, you might still wonder how to manage the tool’s key securely. “Do I need another tool to keep my secrets management secrets?” And “How do I load my secrets from my secrets management tool without sprawling them somewhere?”

This sounds like a bootstrap problem and we hear this a lot from developers. Here at SecretHub, we, too, recognize this issue and the pain that DevOps teams face. We understand that managing secrets and password management should be simple. And It shouldn’t slow down your delivery time! Ideally, we want to securely load our secrets from a secrets management tool and connect it to our cloud platform without any frictions and headaches.

So the real question is: is it possible to eliminate that last key, the one to access your tool? The answer is yes, it is. In this blog, we introduce the nature of SecretHub as a secrets management tool, its features and how to eliminate the last secrets on AWS and GCP IdP.

What is SecretHub?

SecretHub is a secrets management tool that helps developers to deliver code faster and safer. We understand the need for businesses to move fast but also secure. Unlike other secrets management tools, SecretHub is deliberately designed to be end-to-end encrypted so that companies don’t have to host it by themselves. This speeds up the time of implementation and increases developers’ productivity at the same time.

In practice, SecretHub provisions secrets automatically to the right application on any cloud with a secure and reproducible deployment process. Having integrated with more than 25 tools and platforms such as AWS and GCP, SecretHub provides a simple solution to manage secrets across platforms without friction. What’s more, all client-side code is open source, which means you can audit all the code yourself. It’s also it’s easy to use, so no crypto wizard needed to run the program! Check out the Get Started Guide for more information on how to use SecretHub.

Keyless Features

Isn’t it every developer’s dream not to worry about managing secrets? It’s great to get secrets automatically injected into the apps that need them, but what if we can go one step further and remove the entire pre-previsioning step? What if you can access your app without a password and enable it to automatically retrieve its secrets? A real keyless experience!

If you’ve already integrated with AWS or GCP, you’re familiar with their platform’s identity systems: IAM or IAM Cloud. Both tools have their own solution that works as a service which gives an app a passport that can be used to prove who they are. As a result, your app can use the IAM role or IAM Cloud on the fly which gives you privileges for not carrying credentials like the conventional authentication. These services are called Security Token Service (STS) and Metadata Server, respectively. However, these solutions only work within the platform’s environment and not across different platforms.


Inspired by this phenomenon, we challenged ourselves to break this problem and find the way towards a borderless secrets management feature.

Introducing SecretHub’s AWS and GCP Identity Provider Extension

We found out that the STS and Metadata Server are not limited to their native environment, which makes it possible to extend these privileges to SecretHub server. Just create a SecretHub account and sign a GetCallerIdentity request! So instead of sending directly to the AWS or GCP API, we’re proxying it to the SecretHub first.

In the process, we found that we needed AWS’ KMS or GCP’s Cloud KMS to encrypt and decrypt data, because authenticating alone is not enough to load secrets. We needed to integrate the AWS and GCP’s key management services with SecretHub first, and guess what? We’ve done it for you!

Before, you had to manually input the secret for their SecretHub app and find a way to transfer it to their app. With this integration, our servers will only have to verify whether your app is really yours by asking for a confirmation from AWS or GCP. Once it’s confirmed, our system will also verify it.

Then, we take the identity that the app has confirmed and extending it outside the platform ecosystem. Your app can fetch and decrypt secrets automatically by using your KMS or Cloud KMS as a passport.

You can now transfer secrets freely across platforms without any hassle nor frictions. No more headaches and concerns about sprawling secrets. And most importantly, everything is done securely. And isn’t that what every developer needs?!

How to make your App Keyless with SecretHub

This section explains how to use this magical thing we’ve created.

If you haven’t download SecretHub, don’t hesitate to get started and use our service for free.

When you’re ready, the next step is to create a service account for your app.

What is a service account?

It’s a SecretHub’s service that allows applications to access secrets without human intervention. It’s a non-human account that’s tied to a repository and can be granted access rights to directories within a repository. You can use the init command to create a new service account for your application. Check out these pages below to learn how to create the service account in each tool:

authentication on GCP
The way secrets are loaded into your app on GCP

Tell your app that the Service Account is now running on AWS and/or GCP.

After creating your new service account on the platform you chose, you have to tell your app where the service account is activated to make the keyless experience happen. For GCP, follow the instructions on the docs page of our GCP Identity Provider. For AWS users, you can check out these documentation pages to run it on you preferred service:

All set? Why not tell us your experiences! Contact us wherever you wish.

Why SecretHub?

Secrets management is a part security that should be taken care of carefully. When done poorly, it can impact your team’s productivity and add lots of time and cost while your team should be focussing on more substantial matters.

If this blog hasn’t convinced you yet, maybe these final words will. With our frictionless tool, you can manage secrets securely and efficiently, allowing your team to be significantly more productive in delivering new software.

Automate software delivery, without exposing secrets. The keyless experience that every developer needs. Check out our pages about our products and integrations for more information and get started with SecretHub now. If you have any questions and need a 1-on-1 consultation with our Engineer, contact us on Discord or book a free consultation here.