I learned of the existence of steampipe recently, which seems to be an interesting tool to help teams - including cybersecurity teams - understand their cloud assets and ensure compliance with security policies.
I started playing around with it, and one thing that struck me immediately is the need to store API credentials for the various plugins in plaintext in JSON files in your user profile. This struck me as incredibly insecure, especially given that the default UNIX permissions on the files seem to be 644.
Does anyone know if there is a way to store and dynamically retrieve these API credentials more securely, such as in a remote key store like AWS Secrets Manager or Azure Key Vault? I spent awhile searching and watching some YouTube videos, but didn’t come across a method to do this.
Depends on the plugin used, but you can tool it up to use env variables or whatever the plugin supports, you can also change perms locally or host it in service mode with no direct access other than a postgres connection, it’s postgres under the hood so you can add roles etc if you want. I use a wrapper to generate configs/envs on startup pulling from ssm parameters or secrets on Aws
