aws-secret-storage

Store secrets in an encrypted file in your repo.

The secret file is encrypted with aes-256-gcm with the encryption key from AWS KMS

secret.*.unencrypted.json files should never be committed.

cli

aws-secret-storage provides cli helpers for creating and managing secrets files.

All commands interact with KMS, so appropriate credentials to AWS is required. An easy way to do this is to provide the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment parameters for a user that has access to the kms:Decrypt and kms:GenerateDataKey actions.

aws-secret-storage-init SECRET_NAME --key CMK_ID [--region AWS_REGION]

Creates new encrypted and unencrypted files for secrets storage.

secret.SECRET_NAME.unencrypted.json contains the unencrypted data as implied in its name.

• SECRET_NAME is used to form the file name for the secret
• --key must be an unique identifier for the customer master key. For example:
  • Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
  • Alias: alias/test-alias
• --region must be provided if the environment variable AWS_DEFAULT_REGION isn't used. Valid values

aws-secret-storage-encrypt SECRET_NAME

Encrypts the secret.SECRET_NAME.unencrypted.json and saves the result as secret.SECRET_NAME.json. The unencrypted file is removed.

Every encryption operation fetches a new data encryption key from KMS.

aws-secret-storage-decrypt SECRET_NAME

Decrypts the secret.SECRET_NAME.json and saves the unencrypted data to secret.SECRET_NAME.unencrypted.json

api

aws-secret-storage provides an api for loading secrets.

aws-sdk should be configured with proper credentials before calling aws-secret-storages apis. (Or rely on aws-sdks automatic credentials from env)

class AutoSecretFileStorage

For loading secret.*.json or secret.*.unencrypted.json files. Prefers the encrypted files, but doesn't break in development environments without encrypted secrets.

constructor(secretName: string, basePath?: string)

• secretName is the name of the secret created with the cli. For example staging
• basePath points to the folder where the secrets are stored. If not specified the current working directory will be used.

getData(): Promise<UnencryptedSecret>

The promise is resolved with an object that looks like

{
    keyId: "somekey",
    region: "someregion",
    data: {
        "favColor": "red"
    }
}

Only the data key in the object is probably of interest. Throws an error if there isn't an encrypted or unencrypted secrets file with the secretName name.

Usage example

secret.my-project.json

Created with aws-secret-storage-encrypt my-project. Should be in current working directory.

index.js

import {AutoSecretFileStorage} from "aws-secret-storage";

const secretStorage = new AutoSecretFileStorage("my-project");
secretStorage.getData()
    .then((data) => {
        console.log("My favourite color is " + data["data"]["favColor"]);
    }, (err) => {
        console.error(err);
    });

node index.js

My favourite color is red

Integration tests

Running yarn integration-test with the following env variables

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_DEFAULT_REGION
• AWS_CMK_ID

should test the cli commands.

Note that these must be valid for the integration tests to work.