GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → binxio → Cfn Secret Provider

binxio / Cfn Secret Provider

Licence: apache-2.0
A CloudFormation custom resource provider for deploying secrets and keys

Programming Languages

python
139335 projects - #7 most used programming language

Labels

awsdeploymentaws-cloudformationcredentials

Projects that are alternatives of or similar to Cfn Secret Provider

Vs Deploy
Visual Studio Code extension that provides commands to deploy files of a workspace to a destination.
Stars: ✭ 123 (-1.6%)
Mutual labels:  aws, deployment
Perun
A command-line validation tool for AWS Cloud Formation that allows to conquer the cloud faster!
Stars: ✭ 82 (-34.4%)
Mutual labels:  aws, aws-cloudformation
Awsenv
awsenv is intended as a local credential store for people using more than one AWS account at the same time
Stars: ✭ 67 (-46.4%)
Mutual labels:  aws, credentials
Quickstart Taskcat Ci
AWS Quick Start Team
Stars: ✭ 57 (-54.4%)
Mutual labels:  aws, aws-cloudformation
Cloudformation
Some CF templates
Stars: ✭ 123 (-1.6%)
Mutual labels:  aws, aws-cloudformation
Up
Up focuses on deploying "vanilla" HTTP servers so there's nothing new to learn, just develop with your favorite existing frameworks such as Express, Koa, Django, Golang net/http or others.
Stars: ✭ 8,439 (+6651.2%)
Mutual labels:  aws, deployment
Cform Vscode
CloudFormation extension for Visual Studio Code
Stars: ✭ 73 (-41.6%)
Mutual labels:  aws, aws-cloudformation
Aws Auto Terminate Idle Emr
AWS Auto Terminate Idle AWS EMR Clusters Framework is an AWS based solution using AWS CloudWatch and AWS Lambda using a Python script that is using Boto3 to terminate AWS EMR clusters that have been idle for a specified period of time.
Stars: ✭ 21 (-83.2%)
Mutual labels:  aws, aws-cloudformation
Json Serverless
Transform a JSON file into a serverless REST API in AWS cloud
Stars: ✭ 108 (-13.6%)
Mutual labels:  aws, deployment
Seldon Server
Machine Learning Platform and Recommendation Engine built on Kubernetes
Stars: ✭ 1,435 (+1048%)
Mutual labels:  aws, deployment
Aws Secrets Manager Credentials Provider Plugin
AWS Secrets Manager Credentials Provider for Jenkins
Stars: ✭ 45 (-64%)
Mutual labels:  aws, credentials
Cfn Python Lint
CloudFormation Linter
Stars: ✭ 1,770 (+1316%)
Mutual labels:  aws, aws-cloudformation
Webpack Deploy
Collection of useful utilities for deploying (not only) Webpack apps
Stars: ✭ 44 (-64.8%)
Mutual labels:  aws, deployment
Cfn Create Or Update
Create or update CloudFormation stack also if no updates are to be performed.
Stars: ✭ 59 (-52.8%)
Mutual labels:  aws, aws-cloudformation
Aws Unifi Controller
Example of a Ubiquiti Unifi Controller in AWS using Network Load Balancer for TLS termination
Stars: ✭ 37 (-70.4%)
Mutual labels:  aws, aws-cloudformation
The forge
Our groundbreaking, lightning fast PWA CLI tool
Stars: ✭ 70 (-44%)
Mutual labels:  aws, deployment
Touchdown
Cloud service orchestration framework for python
Stars: ✭ 10 (-92%)
Mutual labels:  aws, deployment
Caprover
Scalable PaaS (automated Docker+nginx) - aka Heroku on Steroids
Stars: ✭ 7,964 (+6271.2%)
Mutual labels:  aws, deployment
Torchlambda
Lightweight tool to deploy PyTorch models to AWS Lambda
Stars: ✭ 83 (-33.6%)
Mutual labels:  aws, deployment
Ecs Formation
Tool to build Docker cluster composition for Amazon EC2 Container Service(ECS)
Stars: ✭ 114 (-8.8%)
Mutual labels:  aws, deployment
View All Similar Projects ➔

cfn-secret-provider

A CloudFormation custom resource provider for managing secrets, private keys and EC2 key pairs.

One of the biggest problems I encounter in creating immutable infrastructures, is dealing with secrets. Secrets must always be different per environment and therefore parameterized. As we automated all the things passwords often end up in parameter files and have to pass them around to people and applications: This is not a good thing. With this Custom CloudFormation Resource we put an end to that. Secrets are generated, stored in the EC2 parameter store and access to the secrets can be controlled through security policies.

How do I generate a secret?

It is quite easy: you specify a CloudFormation resource of the Custom::Secret, as follows:

  DBPassword:
    Type: Custom::Secret
    Properties:
      Name: /demo/PGPASSWORD
      KeyAlias: alias/aws/ssm
      Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      Length: 30
      ReturnSecret: true
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a 30 character random string can be found in the EC Parameter Store with the name /demo/PGPASSWORD.

If you need to access the secret in your cloudformation module, you need to specify ReturnSecret and reference it as the attribute Secret.

  Database:
    Type: AWS::RDS::DBInstance
    Properties:
      MasterUserPassword: !GetAtt 'DBPassword.Secret'

How do I add a private key?

In the same manner you can specify a RSA private key as a CloudFormation resource of the Custom::RSAKey:

  PrivateKey:
    Type: Custom::RSAKey
    Properties:
      Name: /demo/private-key
      KeyAlias: alias/aws/ssm
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a the newly generated private key can be found in the EC2 Parameter Store under the name /demo/private-key:

$ aws ssm get-parameter --name /demo/private-key --with-decryption --query Parameter.Value --output text

If you need to access the public key of the newly generated private key, you can reference it as the attribute PublicKey. Most likely, you would use this in the Custom::KeyPair resource, to create a EC2 key pair:

       KeyPair:
         Type: Custom::KeyPair
         DependsOn: CustomPrivateKey
         Properties:
           Name: CustomKeyPair
           PublicKeyMaterial: !GetAtt 'PrivateKey.PublicKey'
           ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

This will create the ec2 key pair for you named CustomKeyPair, based on the generated private key. Now private key is securely stored in the EC2 Parameter Store and the public key can be used to gain access to specific EC2 instances. See Amazon EC2 Key Pairs for more information.

Installation

To install these custom resources, type:

aws cloudformation create-stack \
       --capabilities CAPABILITY_IAM \
       --stack-name cfn-secret-provider \
       --template-body file://cloudformation/cfn-resource-provider.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-secret-provider

This CloudFormation template will use our pre-packaged provider from s3://binxio-public-${AWS_REGION}/lambdas/cfn-secret-provider-1.3.1.zip.

or use

Demo

To install the simple sample of the Custom Resource, type:

aws cloudformation create-stack --stack-name cfn-secret-provider-demo \
       --template-body file://cloudformation/demo-stack.yaml
aws cloudformation wait stack-create-complete  --stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameter --name /cfn-secret-provider-demo/demo/PGPASSWORD --with-decryption
aws ssm get-parameter --name /cfn-secret-provider-demo/demo/private-key  --with-decryption
aws ec2 --output text describe-key-pairs --key-names cfn-secret-provider-demo-custom-key-pair

Conclusion

With this solution:

  • secrets are generated per environment
  • always stored encrypted in the parameter store
  • where access to the secrets is audited and controlled!
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].