Secret distribution tool, written as a wrapper on credstash
Project description
alohomora
=========
Razorpay's Secret Credential management system.
Installation
------------
alohomora is distributed via PyPi:
.. code:: shell
pip install razorpay.alohomora
What?
-----
Alohomora is an opinionated project that relies on our conventions to
intelligently fetch secrets at run-time.
We don't do our own crypto. We rely on these libraries instead:
- https://github.com/fugue/credstash
This is how the template file [STRIKEOUT:looks] will look in our app
repository:
.. code:: j2
# {{ alohomora_managed }}
DB_PASSWORD = {{ lookup('db_password') }}
This repo runs directly on the same template and generates the
equivalent file as the output.
The steps it follows are the following:
1. Figure out the tables from which to read. All secrets are stored in a
``credstash-env-app`` table structure in dynamoDB.
2. Fetch all secrets from that table using credstash
3. Render the template with the secrets using jinja
How it Works?
-------------
Alohomora expects the secrets for any application to be stored in a
table called ``credstash-{env}-{app}``. The IAM roles for this table
must be configured by you. Once you try to render a template, alohomora
will do the following:
1. Read the entire table and decrypt all secrets and cache them locally.
2. Render the template with these files and 2 extra variables: ``env``,
and ``app`` variables.
3. Generate a diff report with any secrets that have been updated, and
send it to a log file. The report should contain number of secrets
updated, and their keys only.
4. Overwrite the file with the new one if *everything looks cool*.
Configuration?
--------------
Alohomora is designed to be a zero-config solution.
We perform a few transforms on the arguments that are passed:
- Change both ``app`` and ``env`` to lowercase
- Replace ``production`` with ``prod`` in the ``env`` name
- Ignore anything after ``-`` in the environment. So ``beta-birdie`` becomes ``beta``
Usage
-----
Please see the wiki regarding alohomora binary usage.
LICENSE
-------
``alohomora`` is released under the same license as credstash.
=========
Razorpay's Secret Credential management system.
Installation
------------
alohomora is distributed via PyPi:
.. code:: shell
pip install razorpay.alohomora
What?
-----
Alohomora is an opinionated project that relies on our conventions to
intelligently fetch secrets at run-time.
We don't do our own crypto. We rely on these libraries instead:
- https://github.com/fugue/credstash
This is how the template file [STRIKEOUT:looks] will look in our app
repository:
.. code:: j2
# {{ alohomora_managed }}
DB_PASSWORD = {{ lookup('db_password') }}
This repo runs directly on the same template and generates the
equivalent file as the output.
The steps it follows are the following:
1. Figure out the tables from which to read. All secrets are stored in a
``credstash-env-app`` table structure in dynamoDB.
2. Fetch all secrets from that table using credstash
3. Render the template with the secrets using jinja
How it Works?
-------------
Alohomora expects the secrets for any application to be stored in a
table called ``credstash-{env}-{app}``. The IAM roles for this table
must be configured by you. Once you try to render a template, alohomora
will do the following:
1. Read the entire table and decrypt all secrets and cache them locally.
2. Render the template with these files and 2 extra variables: ``env``,
and ``app`` variables.
3. Generate a diff report with any secrets that have been updated, and
send it to a log file. The report should contain number of secrets
updated, and their keys only.
4. Overwrite the file with the new one if *everything looks cool*.
Configuration?
--------------
Alohomora is designed to be a zero-config solution.
We perform a few transforms on the arguments that are passed:
- Change both ``app`` and ``env`` to lowercase
- Replace ``production`` with ``prod`` in the ``env`` name
- Ignore anything after ``-`` in the environment. So ``beta-birdie`` becomes ``beta``
Usage
-----
Please see the wiki regarding alohomora binary usage.
LICENSE
-------
``alohomora`` is released under the same license as credstash.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file razorpay.alohomora-0.4.1.tar.gz.
File metadata
- Download URL: razorpay.alohomora-0.4.1.tar.gz
- Upload date:
- Size: 6.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 3e13888f6360a52cb5588bdf9ab8f12a4929c44623d1ec0881cb89ed0f28ca88 |
|
| MD5 | c13645490ed4f2a93d1d779aa62ad04a |
|
| BLAKE2b-256 | 070de3f5ece7015bcc594b782b77ae23b3dbab3d9be3114828bed6dc978ecf26 |
File details
Details for the file razorpay.alohomora-0.4.1-py2.7.egg.
File metadata
- Download URL: razorpay.alohomora-0.4.1-py2.7.egg
- Upload date:
- Size: 13.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | dcc28ae7c9b50d3365a2a2ac691741cdee2b7998da7c9265033b358ec90440f0 |
|
| MD5 | d5375f6c3fd74a75f0709b01c93a6ebe |
|
| BLAKE2b-256 | f10cacecf9548d5256a0cc8e730d941a73f003678953fe01055ad384315eb7d8 |
