This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

A humilis plugin that implements a secrets-vault layer. The layer consists of an encrypted DynamoDB table that serves secrets to Lambda functions in the same humilis environment. The encryption and decryption of secrets is handled by AWS KMS service.

Installation

From PyPI:

pip install humilis-secrets-vault

To install the dev version:

pip install git+https://github.com/InnovativeTravel/humilis-secrets-vault

How do I use this?

Simply add this layer to your humilis environment and use the layer parameter associated_processors to specify the layers that contain the Lambda functions that require access to the secrets in the vault. For example, the environment below deploys a Lambda function that processes events in a Kinesis stream. The Lambda processor is granted access to the secrets vault that is also part of the same environment:

---
myenvironment:
    description:
        An environment with a Lambda processor to filter events in a Kinesis
        stream.

    layers:
        - layer: streams
          layer_type: streams
          streams:
              - name: InputStream
                shard_count: 1

        - layer: event-processor
          layer_type: kinesis-processor
          dependencies: ["streams"]
          input: {layer: streams, stream: InputStream}

        - layer: secrets-vault
          layer_type: secrets-vault
          # We specify that the Lambda function in the event-processor layer
          # should have access to the secrets in the vault.
          associated_processors: ["event-processor"]

The secrets-vault layer expects that the layer(s) that contain the Lambda processor(s) expose a layer output LambdaFunctionArn with the ARN of the Lambda function that should have access to the secrets in the vault. Layers of type kinesis-processor as in the example above fulfil this expectation so they will work out-of-the-box.

Retrieving secrets

The easiest way of retrieving secrets from your Lambda function is to include package lambdautils as a depencency.

Then you can easily retrieve secrets from the vault within your Lambda code as follows:

import lambdautils.utils as utils

# Assuming that you are deploying this Lambda with humilis the line below
# will indicate humilis to preprocess this function with Jinja2 before
# producing the Lambda deployment package.
# preprocessor:jinja2

# During deployment, humilis will replace here the name of the humilis
# environment and deployment stage.
ENVIRONMENT = "{{_env.name}}"
STAGE = "{{_env.stage}}"

plaintext = utils.get_secret(
    "my_secret_key", environment=ENVIRONMENT, stage=STAGE)

Storing secrets

You can use humilis to store secrets in the vault from the command line:

humilis set-secret --stage [STAGE] [ENVIRONMENT_FILE] [SECRET_KEY] [SECRET_VALUE]

Development

Assuming you have virtualenv installed:

make develop

Configure humilis:

.env/bin/humilis configure --local

Testing

You can test the deployment of the secrets vault using:

make create

Then you can then run the integration test suite (TBD):

make testi

Don’t forget to delete the test deployment once you are done:

make delete

More information

See humilis documentation.

Contact

If you have questions, bug reports, suggestions, etc. please create an issue on the GitHub project page.

License

This software is licensed under the MIT license.

See License file.

© 2016 German Gomez-Herrero, Find Hotel and others.

Release History

Release History

0.2.4

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.0.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.0.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
humilis-secrets-vault-0.2.4.tar.gz (4.7 kB) Copy SHA256 Checksum SHA256 Source Jul 3, 2016

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting