aws-vault-parent

Library to manage larger secrets like certificates or full configuration files in S3 with client-side encryption with KMS generated random data keys

License

License

Categories

Categories

AWS Container PaaS Providers
GroupId

GroupId

com.nitorcreations
ArtifactId

ArtifactId

aws-vault-parent
Last Version

Last Version

0.16
Release Date

Release Date

Type

Type

pom
Description

Description

aws-vault-parent
Library to manage larger secrets like certificates or full configuration files in S3 with client-side encryption with KMS generated random data keys
Project URL

Project URL

http://github.com/NitorCreations/vault
Source Code Management

Source Code Management

https://github.com/NitorCreations/vault

Download aws-vault-parent

How to add to project

<!-- https://jarcasting.com/artifacts/com.nitorcreations/aws-vault-parent/ -->
<dependency>
    <groupId>com.nitorcreations</groupId>
    <artifactId>aws-vault-parent</artifactId>
    <version>0.16</version>
    <type>pom</type>
</dependency>
// https://jarcasting.com/artifacts/com.nitorcreations/aws-vault-parent/
implementation 'com.nitorcreations:aws-vault-parent:0.16'
// https://jarcasting.com/artifacts/com.nitorcreations/aws-vault-parent/
implementation ("com.nitorcreations:aws-vault-parent:0.16")
'com.nitorcreations:aws-vault-parent:pom:0.16'
<dependency org="com.nitorcreations" name="aws-vault-parent" rev="0.16">
  <artifact name="aws-vault-parent" type="pom" />
</dependency>
@Grapes(
@Grab(group='com.nitorcreations', module='aws-vault-parent', version='0.16')
)
libraryDependencies += "com.nitorcreations" % "aws-vault-parent" % "0.16"
[com.nitorcreations/aws-vault-parent "0.16"]

Dependencies

There are no dependencies for this project. It is a standalone project that does not depend on any other jars.

Project Modules

  • java
  • java-2
  • java-cli

nitor-vault

Command line tools and libraries for encrypting keys and values using client-side encryption with AWS KMS keys.

Example usage

Initialize vault bucket and other infrastructure: vault --init. Will create a CloudFormation stack.

Encrypt a file and store in vault bucket: vault -s my-key -f <file>

Decrypt a file: vault -l <file>

Encrypt a single value and store in vault bucket vault -s my-key -v my-value

Decrypt a single value vault -l my-key

Using encrypted CloudFormation stack parameters

Encrypt a value like this: $ vault -e 'My secret value'

The command above will print the base64 encoded value encrypted with your vault KMS key. Use that value in a CF parameter. The value is then also safe to commit into version control and you can use it in scripts for example like this:

#!/bin/bash

MY_ENCRYPTED_SECRET="AQICAHhu3HREZVp0YXWZLoAceH1Nr2ZTXoNZZKTriJY71pQOjAHKtG5uYCdJOKYy9dhMEX03AAAAbTBrBgkqhkiG9w0BBwagXjBcAgEAMFcGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYy/tKGJFDQP6f9m1AgEQgCq1E1q8I+btMUdwRK8wYFNyE/5ntICNM96VPDnYbeTgcHzLoCx+HM1cGvc"


UNENCRYPTED_SECRET="$(vault -y $MY_ENCRYPTED_SECRET)"

Obviously you need to make sure that in the context of running vault there is some sort of way for providing kms permissions by for example adding the decryptPolicy managed policy from the vault cloudformation stack to the ec2 instance or whatever runs the code.

To decrypt the parameter value at stack creation or update time, use a custom resource:

Parameters:
  MySecret:
    Type: String
    Description: Param value encrypted with KMS
Resources:
  DecryptSecret:
    Type: "Custom::VaultDecrypt"
    Properties:
      ServiceToken: "arn:aws:lambda:<region>:<account-id>:function:vault-decrypter"
      Ciphertext: { "Ref": "MySecret" }
  DatabaseWithSecretAsPassword:
    Type: "AWS::RDS::DBInstance"
    Properties:
      ...
      MasterUserPassword:
        Fn::Sub: ${DecryptSecret.Plaintext}

Licence

Apache 2.0

com.nitorcreations

Nitor Creations

Versions

Version
0.16
0.15