AWS Secret CLI for manage SSM SecureString and SecretsManager
Project description
AWS Secrets CLI
About
AWS Secrets CLI is a tool to manage SSM Parameter Store (SecureString and String) using KMS to encrypt your information. this tool enables you to store your secrets information without expose into your git repository.
Motivation
When you need to manage SSM parameter (SecureString) in multiple AWS Environments you need to create or update manually, because CloudFormation doesn't support SSM parameter type Secure, you can use AWS CLI or boto3 to create the parameters for you, but you need to read the secrets values from somewhere, and you can't store into your git repository.
AWS Secrets CLI provides you a Command Line Interface that manage your secrets using KMS, so you can store the config file into your git repository because your secrets will not expore, only for people that have access to KMS Key.
Getting Started
Install
pip install aws-secrets-cli
Requirements
It is necessary to create a KMS key before starting to create the parameter using the CLI.
You can create this key using AWS CLI, AWS SDK, console or CloudFormation:
Example using CloudFormation:
Description: "KMS Key for Secrest"
Resources:
Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:GenerateDataKey
- kms:TagResource
- kms:UntagResource
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Resource: "*"
- Action:
- kms:Decrypt
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Resource: "*"
Version: "2012-10-17"
Description: AWS KMS Key for secrets
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/infra-scripts-secrets
TargetKeyId: !GetAtt Key.Arn
Outputs:
KeyArn:
Description: KMS Key Arn
Value: !GetAtt Key.Arn
Our fist config.
For naming convention you should give the environment name for the file name (e.g dev.yaml)
kms:
arn: KMS_KEY_ARN (String) #Required
Add our first secure parameter
For create your first parameter you need to provide the environment file name that you create on the last step (--env-file), the parameter name (--parameter), the value (--value) and optionally you can provide AWS profile and region.
aws-secrets set-parameter --env-file dev.yaml --parameter /foo/dev/password --value "FooData" --profile myaws-profile --region eu-west-1
This command can be used for modify parameters.
Now open your config file and you should see parameters property with the parameter that you create using the command above.
kms:
arn: KMS_KEY_ARN (String) #Required
parameters:
- name: /foo/dev/password
type: SecureString
value: <encrypted_data>
You can modify or add parameters directly in the configuration file.
Create parameters into AWS Account
To deploy the parameter that you created on last step, you need to execute this command:
aws-secrets deploy --env-file dev.yaml --profile myaws-profile --region eu-west-1
Now your parameters have been created in AWS Account.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-ssm-secrets-cli-0.0.1.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 25f6e4748108520d972870f690c6a1168b5a21f8e5b308367f960c75fdd9cd59 |
|
| MD5 | 6d95421919ffc2f89db3de7f44851619 |
|
| BLAKE2b-256 | b94bbfc82f07c7542813d1032fbb6ab5cd8542be935e9626214cbc453d276583 |
Hashes for aws_ssm_secrets_cli-0.0.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1a662cdb1a87bca56baa3705eb685b6ab3df5aed2df09327ce0bd51a16022dc9 |
|
| MD5 | 6c44076953ffbcbf0cd4fefb1a18a9ce |
|
| BLAKE2b-256 | 22bf274ddf540b9b017062dcab38d2390f4b3aa4ccd21748e73ce771ee6ccbdf |
