SM is an open-source self-hosted secrets manager with zero cost. The idea with SM is that it must be completely free of any cost, thus all resources as well as hosting is picked with that in mind.
-
AWS account to host the infrastructure
-
Vercel account to host the webb app
The infrastructure.sh
script deploys the necessary AWS resources. The
following resources will be deployed:
Cognito User Pool
Cognito Identity Pool
IAM role
IAM policy
A database is not needed as secrets will be stored encrypted in AWS Systems Manager Parameter Store
. Secrets are AES encrypted by the api before being
stored in Parameter Store
so that only the api that holds the encryption
passphrase is able to decrypt them. All resources are within the AWS free
tier.
In order to avoid latency, it's recommended to deploy the resources to
us-east-1
since it's the default deployment
region for
Vercel and cannot be changed for hobby accounts. To deploy the resources, create
an IAM user
with programmatic access and with administrator access, then run
the following command. Delete the user once the resources has been deployed.
Take note of the output as it will be used as environment variables in the webb
app.
AWS_DEFAULT_REGION=us-east-1 \
AWS_ACCESS_KEY_ID=my-access-key \
AWS_SECRET_ACCESS_KEY=my-secret-access-key \
./infrastructure/infrastructure.sh
The resources should now be created. By default users can not sign themselves up from your app, but you can create users from the AWS Management Console. This behavior can of course be changed to match your preferences, learn more about creating users and how to change this setting here.
The last step in this section is to unlock the authentication provider, Cognito User Pool
, in the Cognito Identity Pool
console. See the following procedure
to do so
- Head over to the
Cognito Identity Pool
console and select the identity pool. - In the top-right corner of the Dashboard page, choose Edit identity pool. The Edit identity pool page appears.
- Scroll down and choose Authentication providers to expand it.
- Choose the Cognito tab.
- Choose Unlock.
- Choose Save Changes.
Run the web app locally to try it out and to make sure everything is set up correctly.
Copy env.local.example to .env.local and configure environment variables in that file
cp env.local.example .env.local
Install dependencies
yarn install
Run the web app locally
yarn run dev
Web app is available at localhost:3000
Swagger UI is available at localhost:3000/docs
Install dependencies
yarn install
Login to your Vercel account
yarn run vercel login
Link your local directory to a Vercel Project. You can link to an existing project, or preferably create a new one.
yarn run vercel link
a project should now be seen in the Vercel dashboard. Before deploying,
configure environment variables
directly from the Project
Settings. The necessary environment variables are found in .env.local.example
file.
Deploy
yarn run vercel deploy --prod
Simple bash scripts can be used to migrate secrets from other secrets managers to SM. Usually, secrets can be exported in CSV format, the following shows an example from LastPass
url,username,password,totp,extra,name,grouping,fav
http://example.com,example@example.com,my-secret,,,my-name,password,0
http://demo.com,demo@example.com,my-secret2,,,my-name2,password,0
and the following bash script loops through the CSV entries and creates items in SM
#! /bin/bash
TOKEN=$MY_SM_TOKEN # set token as environment variable
while IFS="," read -r url username password totp extra name grouping fav
do
curl "https://sm.vercel.app/api/v1/logins" \
-H "content-type: application/json" \
-H "authorization: $TOKEN" \
--data-raw "{\"data\":{\"type\":\"logins\",\"attributes\":{\"title\":\"$name\",\"path\":\"/\",\"username\":\"$username\",\"secret\":\"$password\",\"note\":\"$name\"}}}"
done < <(tail -n +2 input.csv)