Skip to main content

Secret distribution tool, written as a wrapper on credstash

Project description

alohomora
=========

.. image:: https://travis-ci.com/razorpay/alohomora.svg?token=qzqszeBhnN4z5pes5mg9&branch=master
:target: https://travis-ci.com/razorpay/alohomora

Razorpay's Secret Credential management system.

Installation
------------

alohomora is distributed via PyPi:

.. code:: shell
pip install razorpay.alohomora

What?
-----

Alohomora is an opinionated project that relies on our conventions to
intelligently fetch secrets at run-time.

We don't do our own crypto. We rely on these libraries instead:

- https://github.com/fugue/credstash

This is how the template file looks in our app
repository:

.. code:: j2

# {{ alohomora_managed }}
DB_PASSWORD = {{ lookup('db_password') }}
APP_ENV = {{ env }}
ENV_DEBUG = {{ ENV['DEBUG'] }}
APP_NAME = {{ app }}

This repo runs directly on the same template and generates the
equivalent file as the output.

The steps it follows are the following:

1. Figure out the tables from which to read. All secrets are stored in a
``credstash-env-app`` table structure in dynamoDB.
2. Fetch all secrets from that table using credstash
3. Render the template with the secrets using jinja

How it Works?
-------------

Alohomora expects the secrets for any application to be stored in a
table called ``credstash-{env}-{app}``. The IAM roles for this table
must be configured by you. Once you try to render a template, alohomora
will do the following:

1. Read the entire table and decrypt all secrets and cache them locally.
2. Render the template with these files and 3 extra variables: ``env``,
``app``, and ``ENV`` variables.

``ENV`` is same as `os.environ` inside the jinja template.

Configuration?
--------------

Alohomora is designed to be a zero-config solution.

We perform a few transforms on the arguments that are passed:

- Change both ``app`` and ``env`` to lowercase
- Replace ``production`` with ``prod`` in the ``env`` name
- Ignore anything after ``-`` in the environment. So ``beta-birdie`` becomes ``beta``

Usage
-----

Please see the wiki regarding alohomora binary usage.

LICENSE
-------

``alohomora`` is released under the same license as credstash.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

razorpay.alohomora-0.4.3.tar.gz (6.5 kB view details)

Uploaded Source

Built Distribution

razorpay.alohomora-0.4.3-py3.6.egg (14.1 kB view details)

Uploaded Source

File details

Details for the file razorpay.alohomora-0.4.3.tar.gz.

File metadata

File hashes

Hashes for razorpay.alohomora-0.4.3.tar.gz
Algorithm Hash digest
SHA256 6037750b7d625a8c3313b2a88dc868452c3a9693638bab7015b04d06729adfc4
MD5 1d2dea0e94c85cb7baf9e51557fc9cf7
BLAKE2b-256 8773422b5d645eba7dbd31b034d91c78002ab403d48ba9bb4e7c62af40d8eda7

See more details on using hashes here.

File details

Details for the file razorpay.alohomora-0.4.3-py3.6.egg.

File metadata

File hashes

Hashes for razorpay.alohomora-0.4.3-py3.6.egg
Algorithm Hash digest
SHA256 f15070f134da7b8e7ebca1fcbcd945bf3a77a689481df5e731c1a3c1904eab4b
MD5 fd13e197a178d8a978e82f49f26e868e
BLAKE2b-256 5edfa1241270d6fab3f4649ded79781e532cc1451a162b19400173e2a9eb1439

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page