CD2H gitForager

futurice/secret

Name: secret

Owner: Futurice

Description: For managing secrets.

Created: 2015-06-05 10:47:03.0

Updated: 2018-03-31 05:55:23.0

Pushed: 2017-10-11 07:53:44.0

Homepage:

Size: 53

Language: Python

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Secret

Secret is for storing secrets. Backed by Amazon Web Services: notably IAM for access policies, KMS for encryption keys and S3 for storage.

Setup

pip install secret
Python3 version available as secret-python3.
Login to Amazon AWS: https://console.aws.amazon.com/iam/home
In IAM, create a (KMS) Encryption Key called 'secret'
Check that Region Filter is set to the region S3 will use
In S3, create a bucket called 'secret'
Enable Versioning, and set a Lifecycle policy

Configure AWS credentials for Boto (http://boto.readthedocs.org/en/latest/boto_config_tut.html).

Usage

Add global configuration to ~/.secret/credentials, for example:

ault]
ult=S3 bucket name
ultkey=KMS encryption key handle
t=secret
tkey=alias/secret
on=eu-central-1

Add any configuration overrides in .secret, eg. {"project":"my-only-project"} to not need to specify -P my-only-project.

Commands

cret
 instructions>

cret list
ty)

cret put hello world
ess! Wrote: secret/default/hello

cret list
o

cret get hello
d

cret put ssh_key ~/.ssh/id_rsa
ess! Wrote: secret/default/ssh_key

cret get ssh_key -o ~/.ssh/id_rsa

Keyspace

Project configuration (defined in .secret) allows for addressing keys with a shorthand syntax. The full naming is also available. That is, project/environment/key lookups like helloworld/default/hello equal default/hello equal hello. The / character is reserved for supporting nested keys.

Grouping

By namespacing keys it is possible to create groups of interest. Nested key names can be up to 1024 ASCII characters long.

cret put postgres/username joe
cret put postgres/password joespassword
cret put postgres/timeout 3600
cret get postgres
      Value
out   3600
word  joespassword
name  joe

Versioning

With S3 versioning enabled all changes leave an audit trail:

cret versions
t all versions of all keys>

cret versions ssh_key
t versions of a single key>

cret delete ssh_key
ess! Deleted: helloworld/default/ssh_key

cret get ssh_key
uchKey>

cret get ssh_key --version <version>
 value data)

Environments

By default all project keys are stored under `defaultenvironment. To store user/situation specific values for the same keys (and new ones), provide ``–env``` while issuing operations.

cret envs
cret put hello world --env production
cret get --env production

Debugging

To enable verbose output for commands use `--debug 1` argument.

Development

Setup a local development environment for Secret:

ualenv py2venv --python=python2
ce py2venv/bin/activate
install -r requirements.txt
install pytest
r -p ~/.secret/credentials
 """
ault]
t=secret
tkey=alias/secret
on=eu-central-1
> $HOME/.secret/credentials
rt AWS_PROFILE=default

Client usage:

nvcmd ls

Run tests:

est

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.