在Unity管理凭证

As part of our Secure Software Development Life Cycle (SSDLC) at Unity, we’d like to share our credential management strategy. Managing tokens, keys, and credentials in code, otherwise known as secrets, can be a daunting process. By sharing these details, we hope others will benefit and learn from our journey.

作为Unity的安全软件开发生命周期(SSDLC)的一部分 ，我们希望分享我们的凭证管理策略。 在代码中管理令牌，密钥和凭证(也称为机密)可能是一个艰巨的过程。 通过分享这些细节，我们希望其他人将从我们的旅途中受益并学习。

A couple of years ago, the Unity Security team, along with our partners in the infrastructure teams, set their sights on tackling the problem of managing credentials. In a large, diverse environment such as Unity, projects can be written in one of many programming languages, developed in several different environments, and deployed through a number of continuous integration toolchains. This makes managing credentials an even more challenging task. In this blog post, we’re sharing our journey as well as open-sourcing our solution so others may follow suit.

几年前，Unity安全团队与基础架构团队的合作伙伴一道，着眼于解决凭证管理问题。 在诸如Unity之类的大型多样的环境中，可以用多种编程语言之一编写项目，在几种不同的环境中开发项目，并通过许多连续的集成工具链进行部署。 这使得管理凭据成为一项更具挑战性的任务。 在此博客文章中，我们将分享我们的旅程以及将解决方案开源，以便其他人也能效仿。

凭证是什么？ (What are credentials, anyway?)

So, we need to manage credentials. But what are they? A credential, also known as a secret, is any piece of information required by your service to perform a privileged operation on a resource or another service. This can be a token for an API, a password to log in to some service, an SSH private key for connecting to an external server, a set of credentials for writing to a storage bucket, or an RSA key for signing binaries. Regardless of its type, the information needs to be carefully guarded and known only to the parties involved in the transaction that uses it. Ideally, not even the developers working on the service should know it, or at the very least, they should not have constant access to this information.

因此，我们需要管理凭据。 但是他们是什