Skip to content
/ awsec Public

Store secrets in AWS Parameter Store.

License

Notifications You must be signed in to change notification settings

grimdork/awsec

Repository files navigation

awsec CodeQL goreleaser

Store secrets in AWS Parameter Store.

What

This tool treats Amazon Web Services Parameter Store as a repository for secrets. Simple strings, encrypted strings (with KMS keys) and string lists are supported there, and this tool helps set and retrieve them more conveniently.

Installing

Install from source

If you have Go v1.17 or later installed:

go install github.com/grimdork/[email protected]

Or just clone the project with git clone [email protected]:grimdork/awsec.git if you want to contribute.

Download packages directly

Download a suitable package from the official package page.

Homebrew

If you have Homebrew installed on macOS or Linux:

brew tap grimdork/tools
brew install grimdork/tools/awsec

Setup

Everything needed to make aws-cli run should already be set up. If your company uses Parameter Store, you probably also use AWS tools. You need two comfiguration files at minimum:

  • ~/.aws/config
  • ~/.aws/credentials

Check AWS documentation for specifics.

How

List secrets

The simplest invocation lists all secrets in your configured AWS account:

awsec ls

This lists every secret in the configured parameter store.

You can also specify the beginning portion of keys to narrow down the list:

awsec ls secrets/internal

NOTE:

  • Parameter Store requires keys to start with a slash. This tool adds it automatically when missing, where it makes sense.
  • Keys your IAM user doesn't have access to may still be listed. You still can't fetch their contents.
  • You can create policies to set up path-based permissions, limiting certain paths to be accessible only to some users. For instance, you may have a policy for "/secrets*" and another for "/admin*", and users with access to only one can't create or get values starting with the other path. See AWS documentation on IAM policies and groups for further reference.

Get a secret

awsec get secrets/internal/dbpasswords

retrieves a parameter named /secrets/internal/dbpasswords from the Parameter Store, provided that you have permission to do so.

Set a secret

awsec set secrets/internal/testpw 123456 -s

sets the key secrets/internal/testpw to 123456 and flags it as secure, which enables AWS KMS encryption.

You can also set string lists (comma-separated values):

awsec set secrets/internal/var-list one,1,two,2 -l

This sets four values, which well be presented in pairs when you use get. This is useful for small configuration files. Technically it's also usable for password lists, but if you want the maximum security use Securestring and split them up.

The -d flag allows you to set a description for a key:

awsec set -d "This key is a test." secrets/test "This is the test key's value."

Finally, it's also possibly to set a key value from a file:

awsec set -f secrets/ssh/prod-web prod-web.pem

puts the contents of the file prod-web.pem into the key secrets/ssh/prod-web.

Tag a secret

AWS allows keys to have tags in addition to descriptions. Tags are used for many things, including filtering billing information. For example:

awsec tag secrets/ssh/prod-web -t customer=internal

This command updates the secret secrets/ssh/prod-web and sets the tag customer to internal.

NOTE: Each AWS resource can have a maximum of 50 tags.

Rename a secret

You can rename a key (sort of) like this:

awsec rename secrets/ssh/prod-web secrets/ssh/prod-old-web

This copies the contents of secrets/ssh/prod-web to a key named secrets/ssh/prod-old-web and deletes secrets/ssh/prod-web.

NOTE: If removal fails because of lacking permissions, you may end up with a duplicate key. Check policies if this happens.

Remove a key

awsec rm secrets/ssh/prod-web

removes the key secrets/ssh/prod-web, asking to confirm. Use the -f flag to skip the question.