Name: chamber
Owner: Honeycomb
Description: CLI for managing secrets
Forked from: segmentio/chamber
Created: 2017-10-10 20:45:05.0
Updated: 2017-10-10 20:45:08.0
Pushed: 2017-10-10 20:47:07.0
Homepage: null
Size: 47
Language: Go
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
Chamber is a tool for managing secrets. Currently it does so by storing secrets in SSM Parameter Store, an AWS service for storing secrets.
Using chamber requires you to be running in an environment with an
authenticated AWS user which has the appropriate permission to read/write
values to SSM Parameter Store. The easiest way to do so is by using
aws-vault, like:
s-vault exec prod -- chamber
For this reason, it is recommended that you create an alias in your shell of
choice to save yourself some typing, for example (from my .zshrc):
s chamberprod='aws-vault exec production -- chamber'
Chamber expects to find a KMS key with alias parameter_store_key in the
account that you are writing/reading secrets. You can follow the AWS KMS documentation
to create your key, and follow this guide to set up your alias.
If you are a Terraform user, you can create your key with the following:
urce "aws_kms_key" "parameter_store" {
scription = "Parameter store kms master key"
letion_window_in_days = 10
able_key_rotation = true
urce "aws_kms_alias" "parameter_store_alias" {
me = "alias/parameter_store_key"
rget_key_id = "${aws_kms_key.parameter_store.id}"
If you'd like to use an alternate KMS key to encrypt your secrets, you can set
the environment variable CHAMBER_KMS_KEY_ALIAS.
amber write <service> <key> <value|->
This operation will write a secret into the secret store. If a secret with that key already exists, it will increment the version and store a new value.
If - is provided as the value argument, the value will be read from standard
input.
amber list service
Version LastModified User
ey 2 06-09 17:30:56 daniel-fuentes
r 1 06-09 17:30:34 daniel-fuentes
Listing secrets should show the key names for a given service, along with other useful metadata including when the secret was last modified, who modified it, and what the current version is.
amber history service key
t Version Date User
ted 1 06-09 17:30:19 daniel-fuentes
ted 2 06-09 17:30:56 daniel-fuentes
The history command gives a historical view of a given secret. This view is
useful for auditing changes, and can point you toward the user who made the
change so it's easier to find out why changes were made.
amber exec <service...> -- <your executable>
exec populates the environment with the secrets from the specified services
and executes the given command. Secret keys are converted to upper case (for
example a secret with key secret_key will become SECRET_KEY).
Secrets from services are loaded in the order specified in the command. For
example, if you do chamber exec app apptwo -- ... and both apps have a secret
named api_key, the api_key from apptwo will be the one set in your
environment.
amber read service key
Value Version LastModified User
secret 1 06-09 17:30:56 daniel-fuentes
read provides the ability to print out the value of a single secret, as well
as the secret's additional metadata. It does not provide the ability to print
out multiple secrets in order to discourage accessing extra secret material
that is unneeded. Parameter store automatically versions secrets and passing
the --version/-v flag to read can print older versions of the secret. Default
version (-1) is the latest secret.
Chamber uses AWS SDK for Go. To use a
region other than what is specified in $HOME/.aws/config, set the environment
variable “AWS_REGION”.
S_REGION=us-west-2 chamber list service
Version LastModified User
ey 3 07-10 09:30:41 daniel-fuentes
r 1 07-10 09:30:35 daniel-fuentes
Chamber does not currently read the value of “AWS_DEFAULT_REGION”. See https://github.com/aws/aws-sdk-go#configuring-aws-region for more details.
To cut a new release, just push a tag named v<semver> where <semver> is a
valid semver version. This tag will be used by Circle to automatically publish
a github release.