ejsonkms

ejsonkms combines the ejson library with AWS Key Management Service to simplify deployments on AWS. The EJSON private key is encrypted with KMS and stored inside the EJSON file as _private_key_enc. Access to decrypt secrets can be controlled with IAM permissions on the KMS key.

Install

Precompiled binaries can be downloaded from releases.

Go

go install github.com/envato/ejsonkms@latest

# Move binary to somewhere on $PATH. E.g.,
sudo cp "${GOBIN:-$HOME/go/bin}/ejsonkms" /usr/local/bin/

ejsonkms

This will install the binary to $GOBIN/ejsonkms.

Usage

Generating an EJSON file:

$ ejsonkms keygen --aws-region us-east-1 --kms-key-id bc436485-5092-42b8-92a3-0aa8b93536dc -o secrets.ejson
Private Key: ae5969d1fb70faab76198ee554bf91d2fffc44d027ea3d804a7c7f92876d518b
$ cat secrets.ejson
{
  "_public_key": "6b8280f86aff5f48773f63d60e655e2f3dd0dd7c14f5fecb5df22936e5a3be52",
  "_private_key_enc": "S2Fybjphd3M6a21zOnVzLWVhc3QtMToxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAAAycRX5OBx6xGuYOPAmDJ1FombB1lFybMP42s7PGmoa24bAesPMMZtI9V0w0p0lEgLeeSvYdsPuoPROa4bwnQxJB28eC6fHgfWgY7jgDWY9uP/tgzuWL3zuIaq+9Q=="
}

Encrypting:

$ ejsonkms encrypt secrets.ejson

Decrypting:

$ ejsonkms decrypt secrets.ejson
{
  "_public_key": "6b8280f86aff5f48773f63d60e655e2f3dd0dd7c14f5fecb5df22936e5a3be52",
  "_private_key_enc": "S2Fybjphd3M6a21zOnVzLWVhc3QtMToxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAAAycRX5OBx6xGuYOPAmDJ1FombB1lFybMP42s7PGmoa24bAesPMMZtI9V0w0p0lEgLeeSvYdsPuoPROa4bwnQxJB28eC6fHgfWgY7jgDWY9uP/tgzuWL3zuIaq+9Q==",
  "environment": {
    "my_secret": "secret123"
  }
}

Exporting shell variables (from ejson2env):

$ exports=$(ejsonkms env secrets.ejson)
$ echo $exports
export my_secret=secret123
$ eval $exports
$ echo my_secret
secret123

Note that only secrets under the "environment" key will be exported using the env command.

pre-commit hook

A pre-commit hook is also supported to automatically run ejsonkms encrypt on all .ejson files in a repository.

To use, add the following to a .pre-commit-conifg.yaml file in your repository:

repos:
  - repo: https://github.com/envato/ejsonkms
    hooks:
      - id: run-ejsonkms-encrypt

Name		Name	Last commit message	Last commit date
Latest commit History 64 Commits
.github/workflows		.github/workflows
cmd/ejsonkms		cmd/ejsonkms
local_kms		local_kms
testdata		testdata
.gitignore		.gitignore
.goreleaser.yaml		.goreleaser.yaml
.pre-commit-hooks.yaml		.pre-commit-hooks.yaml
Dockerfile		Dockerfile
LICENSE.txt		LICENSE.txt
Makefile		Makefile
README.md		README.md
VERSION		VERSION
actions.go		actions.go
actions_test.go		actions_test.go
docker-compose.yml		docker-compose.yml
ejsonkms.go		ejsonkms.go
ejsonkms_test.go		ejsonkms_test.go
go.mod		go.mod
go.sum		go.sum
kms.go		kms.go

License

envato/ejsonkms

Folders and files

Latest commit

History

Repository files navigation

ejsonkms

Install

Go

Usage

pre-commit hook

About

Resources

License

Stars

Watchers

Forks

Languages