Skip to main content

Storing Credentials for Cloud Services

Your webservers usually have to connect to various services, like your database and cache servers. To do this, they will usually need to have credentials on hand to authenticate themselves. How should you store these?

Best practices

The Need to Know (Least-Access Privilege)

When it comes to storing credentials on the webserver itself: you should ideally never do this, but for one or two services it can be unavoidable. For example, you might store credentials in a cache server, but your webserver can't access that cache server without the credentials to do so - so it would need one set of credentials physically present on the server itself.

Outside of that, you should avoid storing credentials physically on servers, and make absolutely sure it is never within the DocumentRoot of Apache or similar, even if you are using htaccess files to restrict access. Never keep sensitive files in the document root, and make sure the permissions of those files are as restrictive as they can be whilst allowing the webserver to access them.

Use a dedicated credentials manager

 

Back to top