Show HN: Garnet – a developer-friendly, open-source secrets manager
usegarnet.comDo you have a comparison of this to open source vault? The biggest issue with secret managers isn’t storage though its authenticating clients. Does this support auth via IAM, k8s, okta, ldap, sso providers?
Very valid point - the main problem to solve here isn't storage and encryption. We think the clouds do a great job for that, hence our self-hosted approach.
It’s important to note that the goal here is not to replace Vault. Vault pioneered a lot of best practices in this space, which we build on top of. The gap we want to fill is of complexity and developer-experience, while playing well with existing tools, as stated.
Re: identity – it’s on our immediate roadmap to integrate with identity providers (similar to Vault). We offer a similar model of pluggable secrets backends inspired by Vault (currently supporting DB’s such as Postgres and Mongo). If you want to use your existing SSO provider, our private enterprise beta comes with WorkOS integration. Please reach out at support@usegarnet.com if you’re interested, and we’d love to talk more about your specific needs!
I don't think its a good idea on take on Vault's complexity. One of the value props i see here is the simplicity of using 'garnet run <scope> -- <executable>' which is something you don't get in Vault unless you write a wrapper (although envconsul provides a similar abstraction: https://github.com/hashicorp/envconsul).
This post is full of bots. All the original posts are by accounts that are new and the comments are very shallow.
These are not fake accounts, but actual developers in our community who have been using Garnet. While a couple of these accounts could be newly created (as not everyone has a HN account, and we announced the launch in our community forum), all comments are actual, and anyone is free to share their opinion on the project (negative or positive). We’d really appreciate if you don’t sabotage the post by responding on every comment, but would love to hear your actual feedback.
No need to double post please answer in the other thread.
I've been using this product for a month now, in production for my startup. It's been helpful with my secrets but my favorite use case is using it instead for endpoint storage for service discovery across my dev, staging, and prod phases. I really like the flag-based approach to jump easily between dev, staging, and prod without any code changes. Also works nicely with my PaaS (Zeet), and the Garnet team has been impressively responsive with integration guides and feature requests. It's worth checking out.
Managing secrets is critical in this day and age for individuals and organizations of all kinds and sizes. Many developers currently find it painful to manage their app configurations and secrets, and this pain grows with stack complexity and team size. This makes building and deploying manual, time-consuming and insecure.
Today there are great solutions in this space, however, from our personal experience as developers, we have felt that existing solutions are either:
1) Too complex to set up and operate for the everyday developer
2) Tied to cloud-providers and don’t work well cross-platform
3) Pure SaaS solutions don’t play well with trust and reliability
Because of this, engineers end up writing custom wrappers around existing tools to solve developer experience and integrations with their stack.
Garnet is a developer-focused, open-source secrets manager which can be easily self-hosted on your own infrastructure. We aim to provide a single source of truth for configs and secrets across your tools, apps, environments and teams while delivering a great developer-experience through features like rich audit logs and versioning, granular access controls, notifications and native integrations with existing secrets and config management systems.
Garnet wants to solve this problem from a developer-first point of view, and we want to work with the community to elevate configurations as a first-class citizen in a developer’s workflow.
We’re actively looking for feedback and contributions! Please star and check out our GitHub repo to read more on what we’re building: https://github.com/garnet-labs/garnet-oss
Hello can you please stop creating fake accounts with the purpose of boosting your post here. This is otherwise something interesting but im immediately turned off from ever even looking at it if this is how you try and promote your product.
It is plausible that some of these new accounts were made in response to this post, but I don't think its fair to blame the project's developers for it as it isn't necessarily in their control. It seems like they are seeking feedback from the community and there doesn't seem to be a commercial plug here.
These are not fake accounts, but actual developers in our community who have been using Garnet. While a couple of these accounts could be newly created (as not everyone has a HN account, and we announced the launch in our community forum), all comments are actual, and anyone is free to share their opinion on the project (negative or positive). We’d really appreciate if you don’t sabotage the post by responding on every comment, but would love to hear your actual feedback.
> These are not fake accounts, but actual developers in our community who have been using Garnet. While a couple of these accounts could be newly created ...
This is heavily discouraged here, and most of the times it will make users old angry and flag your post. I'd recommend that only 2 or 3 of the main developers are active in the thread. (Or perhaps a power user that is good replying instead or a developer.) There are not hard rules about this, but too many new users is a bad idea.
> all comments are actual
But some of the comments are too optimistic and look like shills, that make old users unhappy and flag the post. I'd recommend to write only one top level comment explaining that you are the developers, and some backstory, and then only reply to questions from old users.
It's very important to reply to technical questions, with clear and technical answers. It buys a lot of good will of old users. (Avoid adjectives like "awesome" , no one used "awesome" yet, but some comments are too optimistic for the dry style of HN).
> and anyone is free to share their opinion on the project
And everyone is free to complain and flag. It's not a good idea to break the explicit or implicit rules of the site. I think bogota first made a few technical questions. It's a good sign that some old user cares enough about your post to ask a technical question.
The questions are unanswered yet. It's not mandatory to reply to every single question (some questions are bad, sometimes they are repetitive, but not in this case). Anyway, I'd recommend to answer most of them.
Try to send an email to the mods and ask how to post again and any additional recommendation.
I did post comments to actually ask what people like about it and why they use this over vault. No one has actually posted anything of substance so please don’t pretend like i am sabotaging you by asking valid questions.
Please see the response on your other comment regarding the Vault comparison.
Creative concept in the domain of DevOps is found at Garnet. I have easily configured my API. The experts deeply explained things really well. Being provided the things on single sign-on has reducing the developer efforts. Multiple instance creation for single user is much appreciated. Moreover, I would recommend to all developers to must taste the flavor of garnet.
I have been working with azure key vault for the past year and have definitely felt the need for a secrets manager that's more developer focused and easy to use. Most secret managers out there are tied to cloud service providers and do not take a holistic view of the problem. Glad to see the focus is shifting towards a more generalistic solution
This account was made 6 minutes ago.
Hi Bogota,
Yes i created my account 6 mins ago but i am not exactly sure why this is so concerning. I have been part of the beta testers for garnet and am currently an experienced infrastructure engineer with experience in both azure and aws. I created my account to provide insights on this post as i have already used the product.
It normally wouldn’t matter but in combination with all the other newly created accounts and comments of no substance suddenly your account age comes into question.
That’s great you have experience in aws and azure i do as well but i don’t see how this product facilitates auth in those environments outside of being able to deploy it there.
I will simply converse on substance henceforth.
I believe their current focus is on injecting secrets into apps through the CLI, and they’re not natively syncing with cloud provider APIs as of yet.
Integration with identity providers is definitely a feature that would be required for adoption in the enterprise. It seems like that is on their roadmap, and their closed enterprise beta comes with WorkOS integration.
Cool. I’ve been using AWS secrets manager for a while now, and though it serves as a great store for secrets, the developer experience hasn’t been great for our team due to which we’ve resorted to writing an in-house wrapper around it. A simple-to-use, self-hosted solution makes a ton of sense -- excited to give it a spin!
Gamechanger
This is such a great idea. Looking forward to testing it out myself.
Being an open-source manager, this provides the perfect, user-friendly solution to many developer woes.
How does being open source make this user friendly? Vault is open source as well and has a lot more features and documentation
I believe the goal here isn't to replace Vault, but offer a developer focused solution for environment variable management. While Vault can be used to store env variables, its more geared towards managing infra secrets for the ops/sre persona.
I've run into these exact pains in managing secrets with my team and am very happy that Garnet provides an easy and appealing solution. Their repo is very well put-together and definitely sets a standard for excellent organization and documentation
What is it providing a solution to? What problem did you have with existing solutions that this solves?
I was reluctant to use Garnet as I always had a traditional approach with managing secrets. It wasn't until I accidentally deleted my sensitive and critical data that I started to look out for a better way of doing things. That's where Garnet came in. Very easy to install and getting started to use it's features. Definitely recommended for everyone before it's too late and you have to spend a couple of days trying to re-register your keys and stuff
How does this work in production environments like k8s or aws?
I've been using Garnet with my k8s setup. They don't have native kube api integration and I suggest developing a controller. But right now you can use the CLI to append any commands or scripts in your docker containers to supply them env variables at build or run time.
E.g. in a Dockerfile … RUN garnet run --service-key=$GARNET_SERVICE_KEY -- npm start
If this container is running on k8s, you can supply $GARNET_SERVICE_KEY as a k8s secret mounted on the pod