TLS certificates - you get both strong transport security and authentication Mutual authentication can be implemented Single service identity reduce amount of application secrets, asymmetric security - no shared secrets Application code can even don’t know about TLS but risk of misconfiguration exists Certificate hierarchies as additional layer of defence
from Downstream Microservices End-user types and roles are easier to change Downstream Microservices deal with entity level AuthZ and are agnostic to end- user types and roles Downstream Microservices deal only with trust between services using TLS client certificates Downstream Microservices are more context agnostic and reusable
app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.” https://12factor.net/config
conf//application.yml:8: AWS_ACCESS_KEY_ID: 'FR4EFR3Y76R2HE4H’ conf//application.yml:9: AWS_SECRET_KEY: 'wcwdc9wd8w8qqDDqq0 [ERROR] Matched one or more prohibited patterns
https://docs.docker.com/engine/swarm/secrets/ Kubernetes Secrets https://kubernetes.io/docs/user-guide/secrets/ DC/OS Secrets https://docs.mesosphere.com/1.8/administration/secrets/ Many more https://github.com/sweis/crypto-might-not-suck