Skip to main content

Python library to expose S3 as vault to store encrypted data

Project description

pypi build status code quality documentation 3rd party libs

S3Vaultlib is a Python Library and CLI tool that enable you to implements a secure vault / configuration datastore for your AWS platform by using AWS resources: CloudFormation, S3, IAM, KMS S3Vaultlib it’s yet another vault with the goal to give easy maintainability, use only AWS resource and with strong security patterns in mind.

Why a vault?

It’s a common pattern in SRE and DevSecOps to create resources environment unaware and configure the resource automatically when is deployed in a specific environment

S3Vaultlib Features

  • Use Server Side Encryption to store the objects on S3 with per-role KMS key
  • Use per role encryption with least privilege patterns to access the vault. Each role in the vault can only consume its own keymaterials
  • Special elevated privileged mode with a specific role able to produce and configure keymaterials, with only temporary access
  • Save, retrieve, update objects in the vault
  • Integrates flawlessly with Ansible by exposing an action plugin that allows you to expand templates by using variables / keymaterials from the vault
  • Powerful CLI to create, manage and update the objects in the vault
  • Easy maintainable via simple yaml file
  • Expose a flexyble python library to extend functionalities or implement the retrieval of keymaterials from your code.

S3vaultlib Architecture

S3Vaultlib requires no installation or security patches / updates. The architecture leverages entirely on AWS existing resource to create a secure vault with Role Base Access Control, versioning and region awareness.

It integrates with the IAM to generate the necessary roles and policies, KMS to generate per-role keys, S3 to configure the bucket policies to enforce high level of security and CloudFormation to create the Infrastructure as Code that combine all the above in a powerful vault.

Check In depth Architecture for more information


Example scenarios

  • Provisioning a vault: A simple example to see how to provision a vault via the command line interface
  • Configure NGINX with S3Vaultlib: A simple example where we deploy an environment unaware NGINX instance and it’s configured via S3Vaultlib ansible plugin

CLI Usage

The complete documentation can be found here: CLI Usage


Currently there are several alternative patterns used.

  • Configuration / Keymaterials encrypted in git
    Please don’t do this, really!
  • Vault by Hashicorp
    Full featured vault system, widely used in the DevOPS community. But it’s also yet another system to deploy and maintain in high availability and also, it requires keymaterials for the installation (since is not a native AWS component)
  • Very valid alternative offered by AWS. Still lack a bit of flexibility to be used transparently in your bootstrap pipelines for EC2 / Dockers / Lambdas / Applications

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for s3vaultlib, version 4.0.2
Filename, size File type Python version Upload date Hashes
Filename, size s3vaultlib-4.0.2-py2.py3-none-any.whl (52.8 kB) File type Wheel Python version py2.py3 Upload date Hashes View
Filename, size s3vaultlib-4.0.2.tar.gz (52.7 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page