this post was submitted on 24 Mar 2025

11 points (100.0% liked)

Cybersecurity

6803 readers

70 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Steampipe: How to secure API credentials? (sh.itjust.works)

submitted 1 day ago* (last edited 1 day ago) by _synack@sh.itjust.works to c/cybersecurity@sh.itjust.works

9 comments fedilink hide all child comments

I learned of the existence of steampipe recently, which seems to be an interesting tool to help teams - including cybersecurity teams - understand their cloud assets and ensure compliance with security policies.

I started playing around with it, and one thing that struck me immediately is the need to store API credentials for the various plugins in plaintext in JSON files in your user profile. This struck me as incredibly insecure, especially given that the default UNIX permissions on the files seem to be 644.

Does anyone know if there is a way to store and dynamically retrieve these API credentials more securely, such as in a remote key store like AWS Secrets Manager or Azure Key Vault? I spent awhile searching and watching some YouTube videos, but didn't come across a method to do this.

top 9 comments

sorted by: hot top controversial new old

[–] rcbrk@lemmy.ml 4 points 14 hours ago (1 children)

Step one: don't publish screenshots of your credentials on the web!

Never Use Text Pixelation To Redact Sensitive Information:
gif animation of pixellated text cracking software slowly iterating through all the candidates for each character

Let's Enhance: A Deep Learning Approach to Extreme Deblurring of Text Images:
table of images showing perfect text recovery from even very blurred text

[–] _synack@sh.itjust.works 5 points 13 hours ago* (last edited 13 hours ago)

I’ve heard this related to Gaussian blur and it’s obviously possible with pixelation that uses a large number of smaller pixels, but I would honestly love to see someone demonstrate reversal of the pixelation I used here.

In any case the pixelated credentials were for limited, read only access for testing and the API client was already deleted before I posted the image.

I appreciate the concern and feedback in any case.

[–] ramius345@sh.itjust.works 3 points 15 hours ago* (last edited 15 hours ago) (1 children)

My team heavily uses this: https://www.hashicorp.com/en/products/vault

It uses aged tokens to give access to secrets.

The docker container is easy enough to set up https://hub.docker.com/r/hashicorp/vault

[–] mutual_ayed@sh.itjust.works 3 points 10 hours ago* (last edited 10 hours ago)

OpenBao is also an option. It is copy left and has no licensing fees.

https://openbao.org/

[–] Devnullit@lemmy.dbzer0.com 4 points 21 hours ago* (last edited 21 hours ago) (1 children)

Depends on the plugin used, but you can tool it up to use env variables or whatever the plugin supports, you can also change perms locally or host it in service mode with no direct access other than a postgres connection, it's postgres under the hood so you can add roles etc if you want. I use a wrapper to generate configs/envs on startup pulling from ssm parameters or secrets on Aws

[–] _synack@sh.itjust.works 2 points 15 hours ago* (last edited 15 hours ago) (1 children)

It seems you have a lot of experience with the tool. Can you recommend any resources that teach more advanced use cases and configurations? I'm finding that just reading the docs, playing with it, and watching the YouTube videos I found aren't really doing it for me. Most of the materials I'm finding are about AWS, but that's not relevant to me.

[–] Devnullit@lemmy.dbzer0.com 2 points 14 hours ago* (last edited 14 hours ago) (1 children)

Sorry, I don't. I learned by using. It's like any other tool, play with it, and look at the code and docs. What's your use case? From the sound of it, it's more a config managment issue than steampipe issue. I can try and help. Also they are active on slack and respond to bugs pretty quick in my experience.

[–] _synack@sh.itjust.works 2 points 14 hours ago* (last edited 13 hours ago) (1 children)

I saw someone mention it as an alternative to using Orca or Wiz for compliance use cases. I just wanted to check it out. I was attempting to run it locally rather than as a service with configuration via pipeline.

[–] Devnullit@lemmy.dbzer0.com 2 points 5 hours ago* (last edited 3 hours ago)

Yea it's a good complement to those tools too, but for plain compliance mods, use flowpipe. Steampipe is more of a realtime view of resources, where wiz and orca are more scanners with state. You can kind of mimik it with steampipe but it's a lot of extra work. Credentials handling is entirely dependent on the plugin being used. So use a wrapper to pull whatever info from your secrets store (vault, sops, etc) and inject it in your local env/configs