This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

Microsecrets is a secrets distribution tool powered by Amazon S3 and Amazon KMS. It provides a bare-bones approach to passing credentials securely in an Amazon Web Services environment. Credentials are uploaded to S3 and encrypted at rest by KMS. They can then be passed to programs through environment variables.

Installation

$ pip install microsecrets

Usage

Setup

  1. Create the S3 bucket you’ll use for secrets storage. You may want one bucket per organization, such as example.com-microsecrets.
  2. Create one KMS master key for each service that will be using microsecrets. The key should by default be named microsecrets-myservice for a service called myservice. Users uploading the credentials and systems downloading the credentials will need privileges to encrypt/decrypt data using this key. None of the normal users need key administration privileges.

Uploading environment and files

  1. Upload environment variable data. Environment variables may be passed as = separated pairs on stdin or in a file. NB: whitespace is stripped and all other characters are treated literally. Or pass them as a JSON dict with the --json flag.

    $ microsecrets-upload -b example-microsecrets -s myservice <<EOM
    DB_URL=db://user:pass@example.com:123
    PASSWORD=hunter2
    EOM
    
  2. Upload a raw file. Usage is the same as uploading environment variables, but you pass a -f LABEL to determine where to upload the file. This example uploads a file from ~/documents/train.txt with label train.txt.

    $ microsecrets-upload -b example-microsecrets -s myservice -f train.txt ~/documents/train.txt
    

Downloading files to show status

TODO: flesh out this section

  1. List latest versions of current files available for download

    $ microsecrets-download -b example-microsecrets -s myservice --list
    
  2. Download the environment

    $ microsecrets-download -b example-microsecrets -s myservice
    
  3. Download files with the environment

    $ microsecrets-download -b example-microsecrets -s myservice -f train.txt:/tmp/train.txt
    

Running programs under environment with secrets

  1. Run a program with the credentials in the environment. To verify the integrity of data in S3, you must specify the checksum of the environment file (output by the upload tool) or whitelist specific environment variables. Or, if integrity is not a concern, whitelist all environment variables. The whitelist is designed to avoid accidentally allowing code execution through LD_PRELOAD or similar, which may or may not be a concern in your system layout.

    $ microsecrets-with-env -b example-microsecrets -s myservice -w 'DB_URL PASSWORD' -- /bin/myserver
    

See also

There is a variety of other recent work in this space that may be of interest:

License

The project is in the public domain, and all contributions will also be released in the public domain. By submitting a pull request, you are agreeing to waive all rights to your contribution under the terms of the CC0 Public Domain Dedication.

This project constitutes an original work of the United States Government.

Release History

Release History

0.3.4

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.4

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
microsecrets-0.3.4.tar.gz (12.7 kB) Copy SHA256 Checksum SHA256 Source Jun 15, 2016

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting