Recognizable problem.
Typically, configuration fields with sensitive information, such as passwords, change much less frequently than non-sensitive configuration fields. A possible solution is to split the configuration into two parts:
- Configure this environment but does not contain sensitive information. I would advise you to keep these files together with the source code and, if possible, generate the files and automatically upload them to the configuration repository (S3 in your case) during the build. They must be versions and are tied to the version of your application.
- Configuration containing confidential information. Considering the issue, not all team members are allowed to read / write this information. You can save them in S3 with specific access rights so that only authorized members can access them. You will need a mechanism to merge the files together when you deploy or modify the application to read from different configuration files.
However, this solves only part of your problem. The ops parties will still have to make changes when changing sensitive configuration keys. Whether this is acceptable depends on how sensitive key keys change frequently.
An alternative to S3 could be to run a private Git repository (e.g. AWS CodecCommit ). You will have better version control and easier access for developers to make changes since you are already using Git. You still have to fix the permissions for the separation between dev and ops, or let it happen (since DevOps is trust and collaboration, this might be a good idea). You can apply a similar scheme here, as I described above.
Another solution might be to move the configuration of sensitive values โโfrom property files to the system configuration. When you are already using a training system like Puppet or Chef, it will be natural for the ops guys. Or set all sensitive values, such as passwords, as environment variables and ask the application to read it as system properties.
Hope this helps!