To be clear, the credentials I was referring to (that we use the command-line tool to put in project-level config files) are passwords for project-level things like:
- API keys for infrastructure providers (e.g. AWS)
- API keys for third-party services (e.g. Mixpanel, Email sending services, etc.)
- Semi-private configuration values like Webhook URLs
- Shared configuration values (e.g. feature flags stored as environment variables)
There are also many credentials we store that are not project-level, that we also use LastPass / 1password to share amongst the leadership of the organization. These are things like:
- Twitter login
- Root login for things with individualized access (e.g. Mailchimp, our Brigade’s Wordpress)
Ideally, a password storage solution can support both workflows. Even though they are different workflows, standardizing on a single password storage method within a Brigade keeps things simpler.
Finally, on the topic of 1password. They gave us (OpenOakland leadership) the impression they would renew our 100% nonprofit discount indefinitely, but it turns out that there was a misunderstanding there. When it came time to renew, they offered us only a 50% discount. It’s still a tool we’ll use, but we’re somewhat limited now that we’re paying $2/user/month for it.