Skip to content

AWS Secret CLI for manage SSM SecureString and SecretsManager

License

Notifications You must be signed in to change notification settings

lucasvieirasilva/aws-ssm-secrets-cli

Repository files navigation

AWS Secrets CLI

SonarCloud Status

Vulnerabilities Bugs Code Smells Technical Debt Lines of Code

Maintainability Rating Reliability Rating Security Rating Quality Gate Status

About

AWS Secrets CLI is a tool to manage SSM Parameter Store (SecureString and String) using KMS to encrypt your information. This tool enables you to store your secrets information without exposing it to your git repository.

Motivation

When you need to manage SSM parameter (SecureString) in multiple AWS Environments you need to create or update manually, because CloudFormation doesn't support SSM parameter type Secure, you can use AWS CLI or boto3 to establish the parameters for you, but you need to read the secrets values from somewhere. You can't store into your git repository.

AWS Secrets CLI provides you a Command Line Interface that manages your secrets using KMS, so you can store the config file into your git repository because your secrets will not expose, only for people that have access to KMS Key.

Install

pip install aws-ssm-secrets-cli

Requirements

It is necessary to create a KMS key before starting to create the parameter using the CLI.

You can create this key using AWS CLI, AWS SDK, console, or CloudFormation:

Example using CloudFormation:

Description: "KMS Key for Secrest"
Resources:
  Key:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Statement:
          - Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:ScheduleKeyDeletion
              - kms:CancelKeyDeletion
              - kms:GenerateDataKey
              - kms:TagResource
              - kms:UntagResource
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Resource: "*"
          - Action:
              - kms:Decrypt
              - kms:Encrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Resource: "*"
        Version: "2012-10-17"
      Description: AWS KMS Key for secrets
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain

  KeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/infra-scripts-secrets
      TargetKeyId: !GetAtt Key.Arn

Outputs:
  KeyArn:
    Description: KMS Key Arn
    Value: !GetAtt Key.Arn

Getting Started

Our fist config

For naming convention, you should give the environment name for the file name (e.g., dev.yaml)

kms:
  arn: KMS_KEY_ARN (String) #Required
encryption_sdk: "aws_encryption_sdk"
parameters:
  - name: myparametername
    value: "MySecretValueHere"
    type: SecureString
secrets:
  - name: mysecretname
    value: "MySecretValueHere"

or AWS Secrets manager with object

kms:
  arn: KMS_KEY_ARN (String) #Required
encryption_sdk: "aws_encryption_sdk"
parameters:
  - name: myparametername
    value: "MySecretValueHere"
    type: SecureString
secrets:
  - name: mysecretname
    value:
      user: myusername
      password: mypassword

Encrypt

To encrypt the parameter values, you need to use this command:

aws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1

Decrypt

To edit the values, you can decrypt and re-encrypt the parameter values. You need to use this command:

aws-secrets decrypt -e dev.yaml --profile myprofile --region eu-west-1

At this moment, a new file has created dev.yaml.dec. If you want to decrypt in overwrite mode put the --output option with the same file name that you are decrypting.

aws-secrets decrypt -e dev.yaml --output dev.yaml --profile myprofile --region eu-west-1

After your changes you need to re-encrypt, you can do it using this command:

aws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1

Create parameters into AWS Account

To deploy the parameter that you created on the last step, you need to execute this command:

aws-secrets deploy -e dev.yaml --profile myaws-profile --region eu-west-1

Now your parameters have been created in AWS Account.

Migrate KMS API to AWS Encryption SDK

The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data. The AWS Encryption SDK is provided free of charge under the Apache 2.0 license.

Full documentation: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html

Using AWS Encryption enables AWS Secrets CLI to encrypt data with more than 4KB.

Migration process

  1. Decrypt all SSM parameter and Secrets manager:
aws-secrets decrypt -e dev.yaml --output dev.yaml --profile myprofile --region eu-west-1
  1. Update YAML configuration to add the encryption_sdk with aws_encryption_sdk value.
kms:
  arn: KMS_KEY_ARN
encryption_sdk: "aws_encryption_sdk"
parameters:
  - name: myparametername
    value: "MySecretValueHere"
    type: SecureString
secrets:
  - name: mysecretname
    value: "MySecretValueHere"

Currently, the default value is boto3

  1. Re-encrypt the YAML configuration file
aws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1

Configuration Schema

tags: # Global tags, applied to all the resources
  key: 'string' # key/value pair
kms:
  arn: 'string' # Required, KMS ARN
encryption_sdk: 'aws_encryption_sdk' | 'boto3'
parameters: # AWS SSM Parameter Section
  - name: 'string' # Required, Parameter Name
    description: 'string' # Optional, Parameter Description
    type: 'String|SecureString' # Required, Parameter Type
    value: 'string' # Required only for Type 'String' or if it is some YAML tag (e.g. !file or !cmd)
    tier: 'Standard|Advanced|Intelligent-Tiering' # Optional, Parameter Tier, default 'Standard'
    tags: # Optional, Parameter Tags, it is extended with the global tags
      key: 'string'
secrets: # AWS Secrets Manager secrets Section
  - name: 'string' # Required, Secret Name
    description: 'string' # Optional, Secret Description
    value: 'string' # Required only if it is some YAML tag (e.g. !file or !cmd)
    tags: # Optional, Secret Tags, it is extended with the global tags
      key: 'string'
secrets_file: 'Path' # Optional, Secrets file path, default '<config-filename>.secrets.yaml'

Command Line Interface

Command options differ depending on the command, and can be found by running:

aws-secrets --help
aws-secrets COMMAND --help

encrypt

To encrypt SecureString parameters and secrets values in the environment file.

aws-secrets encrypt
  --env-file
  [--profile]
  [--region]

Options

Option Description Data Type Required Options Default
--env-file or -e Environment file path String true
--profile AWS Profile String false
--region AWS Region String false

decrypt

To decrypt SecureString parameters and secrets values in the environment file.

aws-secrets decrypt
  --env-file
  [--profile]
  [--region]

Options

Option Description Data Type Required Options Default
--env-file or -e Environment file path String true
--profile AWS Profile String false
--region AWS Region String false

set-parameter

Create or modify the SSM parameter in the environment file.

aws-secrets set-parameter
  --env-file
  --name
  [--description]
  [--kms]
  [--type]
  [--profile]
  [--region]

Options

Option Description Data Type Required Options Default
--env-file or -e Environment file path String true
--name or -n SSM Parameter Name String true
--description or -d SSM Parameter Description String false
--type or -t SSM Parameter Type String true String and SecureString SecureString
--kms or -k KMS Id or ARN String true
--profile AWS Profile String false
--region AWS Region String false

set-secret

Create or modify secrets in the environment file.

aws-secrets set-secret
  --env-file
  --name
  [--description]
  [--kms]
  [--profile]
  [--region]

Options

Option Description Data Type Required Options Default
--env-file or -e Environment file path String true
--name or -n Secret Name String true
--description or -d Secret Description String false
--kms or -k KMS Id or ARN String true
--profile AWS Profile String false
--region AWS Region String false

view-parameter

View the SSM parameter value in the environment file.

aws-secrets view-parameter
  --env-file
  --name
  [--profile]
  [--region]

Options

Option Description Data Type Required Options Default
--env-file or -e Environment file path String true
--name or -n SSM Parameter Name String true
--profile AWS Profile String false
--region AWS Region String false

deploy

Create or update SSM parameters and secrets in the AWS Account.

aws-secrets deploy
  --env-file
  [--filter-pattern]
  [--dry-run]
  [--confirm]
  [--only-secrets]
  [--only-parameters]
  [--profile]
  [--region]

Options

Option Description Data Type Required Options Default
--env-file or -e Environment file path String true
--filter-pattern Filter Pattern (e.g /app/db/*/password match with /app/db/dev/password or /app/db/prod/password ) String false
--dry-run Execution without apply the changes on the environment Boolean false false
--confirm Confirm prompt before apply the changes Boolean false false
--only-secrets Apply changes just for AWS Secrets Boolean false false
--only-parameters Apply changes just for SSM Parameters Boolean false false
--profile AWS Profile String false
--region AWS Region String false

Resolvers

This CLI implements resolvers, which can be used to resolve the value of a command output or a CloudFormation output value.

!file

This resolver is designed to load a file content to the SSM Parameter or Secrets Manager Value.

Example:

---
secrets:
  - name: mysecret
    value: !file myfile.txt
!cf_output

This resolver can be used in parameters[*].value, secrets[*].value and kms.arn properties.

Example:

kms:
  arn: !cf_output "mystack.MyOutputKey"
parameters:
  - name: myparameter-name
    type: String
    value: !cf_output "mystack.MyOutputKey"
kms:
  arn: !cf_output "mystack.MyOutputKey.us-east-1"
parameters:
  - name: myparameter-name
    type: String
    value: !cf_output "mystack.MyOutputKey.us-east-1"
!cmd

This resolver can be used in parameters[*].value and secrets[*].value properties.

Example:

kms:
  arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
parameters:
  - name: myparameter-name
    type: SecureString
    value: !cmd 'echo "Teste"'
providers
cf

CloudFormation Stack Output resolver

Usage

${cf:stack-name.output-name}

With default values

${cf:stack-name.output-name, 'mydefaultvalue'}
session

AWS Credentials Session resolver

Usage

${session:profile} or ${session:region}

With default values

${session:profile, 'myprofile'} or ${session:region, 'us-east-1'}
aws

AWS Provider resolves the AWS CLI --profile and --region based on the aws-secrets CLI.

Usage

${aws:profile} or ${aws:region}

With default values

${aws:profile, 'myprofile'} or ${aws:region, 'us-east-1'}

Example:

With the config file:

kms:
  arn: !cf_output "mystack.KeyArn"
parameters:
  - description: My SSM Parameter
    name: /my/ssm/param
    type: SecureString
    value: !cmd 'aws s3 ls ${aws:profile} ${aws:region, "eu-west-1"}'

When run the aws-secrets with the --profile or --region

aws-secrets -e conf.yaml --profile myprofile --region us-east-1

The AWS CLI command will be execute this command:

aws s3 ls --profile myprofile --region us-east-1

If --profile not be speficied in the aws-secrets execution, like this:

aws-secrets -e conf.yaml --region us-east-1

The AWS CLI command will be execute this command:

aws s3 ls --region eu-west-1

The --region continue in the command because the resolver has the default value with eu-west-1 in the config file.

Global Tags

You also can include Tags on a global level:

tags:
  SomeKey: SomeValue
kms:
  arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
parameters: ...
secrets: ...

About

AWS Secret CLI for manage SSM SecureString and SecretsManager

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages