GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → psibi → rucredstash

psibi / rucredstash

Licence: other
Utility for managing credentials securely in AWS cloud

Programming Languages

rust
11053 projects
shell
77523 projects

Labels

awssecretsecret-management

Projects that are alternatives of or similar to rucredstash

driftwood
Private key usage verification
Stars: ✭ 262 (+1646.67%)
Mutual labels:  secret, secret-management
secrets cli
CLI for storing and reading your secrets via vault
Stars: ✭ 24 (+60%)
Mutual labels:  secret, secret-management
Secretserver
Secret Server PowerShell Module
Stars: ✭ 82 (+446.67%)
Mutual labels:  secret, secret-management
lockgit
A CLI tool for storing encrypted data in a git repo
Stars: ✭ 121 (+706.67%)
Mutual labels:  secret, secret-management
secrets
Simple Secret Sharing Service for social and decentralised management of passwords
Stars: ✭ 30 (+100%)
Mutual labels:  secret, secret-management
nats
A program to hide file into executable binary.
Stars: ✭ 16 (+6.67%)
Mutual labels:  secret
shamirs-secret-sharing
A simple implementation of Shamir's Secret Sharing configured to use a finite field in GF(2^8) with 128 bit padding
Stars: ✭ 59 (+293.33%)
Mutual labels:  secret
gnirts
Obfuscate string literals in JavaScript code.
Stars: ✭ 65 (+333.33%)
Mutual labels:  secret
tss-rb
A Ruby implementation of Threshold Secret Sharing (Shamir) as defined in IETF Internet-Draft draft-mcgrew-tss-03.txt
Stars: ✭ 22 (+46.67%)
Mutual labels:  secret
cli
The official CLI for interacting with your Doppler secrets and configuration.
Stars: ✭ 96 (+540%)
Mutual labels:  secret-management
argocd-vault-plugin
An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
Stars: ✭ 404 (+2593.33%)
Mutual labels:  secret-management
kube-secrets-init
Kubernetes mutating webhook for `secrets-init` injection
Stars: ✭ 106 (+606.67%)
Mutual labels:  secret-management
VerificationCodeBox
验证码 && 密码 校验View(类似于支付宝、网商银行等密码校验框)
Stars: ✭ 25 (+66.67%)
Mutual labels:  secret
dragonshard
Java server framework based on springboot2
Stars: ✭ 15 (+0%)
Mutual labels:  secret
tesoro
Kapitan Admission Controller Webhook
Stars: ✭ 32 (+113.33%)
Mutual labels:  secret-management
Hemmelig.app
Keep your sensitive information out of chat logs, emails, and more with encrypted secrets.
Stars: ✭ 183 (+1120%)
Mutual labels:  secret
thycotic.secretserver
PowerShell module for automating with Thycotic Secret Server REST API
Stars: ✭ 41 (+173.33%)
Mutual labels:  secret-management
gitleaks
Protect and discover secrets using Gitleaks 🔑
Stars: ✭ 10,520 (+70033.33%)
Mutual labels:  secret
terraform-aws-secrets-manager
Terraform module to create Amazon Secrets Manager resources.
Stars: ✭ 37 (+146.67%)
Mutual labels:  secret-management
envkey-python
EnvKey's python library. Protect API keys and credentials. Keep configuration in sync.
Stars: ✭ 24 (+60%)
Mutual labels:  secret-management
View All Similar Projects ➔

Rucredstash

Crates.io MIT licensed Build Status

Table of Contents

Introduction

Rucredstash is a Rust port of CredStash

It uses a combination of AWS Key Management Service (KMS) and DynamoDB to store secrets. This is needed when you want to store and retrieve your credentials (like database password, API Keys etc) securely. A more detailed tutorial is here.

This package offers the interface via both CLI and an library way of accessing it. The CLI is meant as a drop in replacement of the original credstash program and therefore it tries to have the exact interface as the original program.

Usage

rucredstash 0.8.0
Sibi Prabakaran
A credential/secret storage system

USAGE:
    rucredstash [OPTIONS] [SUBCOMMAND]

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
    -a, --arn <ARN>                  AWS IAM ARN for AssumeRole
    -m, --mfa_serial <MFA_SERIAL>    Optional MFA hardware device serial number or virtual device ARN
    -p, --profile <PROFILE>          Boto config profile to use when connecting to AWS
    -r, --region <REGION>            the AWS region in which to operate. If a region is not specified, credstash will
                                     use the value of the AWS_DEFAULT_REGION env variable, or if that is not set, the
                                     value in `~/.aws/config`. As a last resort, it will use us-east-1
    -t, --table <TABLE>              DynamoDB table to use for credential storage. If not specified, credstash will use
                                     the value of the CREDSTASH_DEFAULT_TABLE env variable, or if that is not set, the
                                     value `credential-store` will be used

SUBCOMMANDS:
    delete    Delete a credential from the store
    get       Get a credential from the store
    getall    Get all credentials from the store
    help      Prints this message or the help of the given subcommand(s)
    keys      List all keys in the store
    list      List credentials and their versions
    put       Put a credential into the store
    putall    Put credentials from json or file into the store
    setup     setup the credential store

Installation

See Github releases: https://github.com/psibi/rucredstash/releases

Executables are available for all the three major platforms: Linux, Windows and MacOS.

Infrastructure Setup

For rucredstash to work, you need to setup the following AWS infrastrucutre:

  • Create Customer manged keys (CMK) key
    • Services => KMS => Create Key => Input "credstash" for Key Alias
  • Create DynamoDB table
    • rucredstash setup

Usage Examples

Different way of passing AWS Credentials

The most simple case is to export the proper environment variable and use it:

$ export AWS_ACCESS_KEY_ID=xxxx
$ export AWS_SECRET_ACCESS_KEY=xxxx
$ rucredstash list
hello            -- version 0000000000000000001 --comment
hellehllobyegood -- version 0000000000000000001 --comment
hello1           -- version 0000000000000000001 --comment

Note that rucredstash by default uses DefaultCredentialsProvider, so your credentials will be based on that. But it even allows other complex usage scenarios:

$ export AWS_ACCESS_KEY_ID=xxxx
$ export AWS_SECRET_ACCESS_KEY=xxxx
$ rucredstash --arn arn:aws:iam::786946123934:role/admin --mfa_serial arn:aws:iam::786946123934:mfa/sibi --region us-west-2 list
Enter MFA Code: xxxxx
hello            -- version 0000000000000000001 --comment
hellehllobyegood -- version 0000000000000000001 --comment
hello1           -- version 0000000000000000001 --comment

Note that the MFA functionality isn't present in the original credstash program (the Python program). You can also use programs like aws-env and use this tool. Example:

$ aws-env rucredstash list
hello            -- version 0000000000000000001 --comment
hellehllobyegood -- version 0000000000000000001 --comment
hello1           -- version 0000000000000000001 --comment

Other usage examples

Put secret value

$ rucredstash put hello world
hello has been stored

You can also use the encryption context associated with the credential:

$ rucredstash put nasdaq nifty500 market=world
nasdaq has been stored

Or even multiple encryption contexts:

$ rucredstash put vanguard vanguardsecret market=world indexfunds=us
vanguard has been stored

Get secret value

$ rucredstash get hello1
world1

Now let's also try to retrieve using the encryption context:

$ rucredstash get nasdaq market=world
nifty500

And using multiple encryption context:

$ rucredstash get vanguard market=world indexfunds=us
vanguardsecret

Get all secret values

$ rucredstash getall
{
  "hellehllobyegood": "dam",
  "hello": "world",
  "hello1": "world1"
}

You can get that in other formats too:

$ rucredstash getall --format yaml
hello: world
hellehllobyegood: dam
hello1: world1

List credentials with other metadata

$ rucredstash list
hello            -- version 0000000000000000001 --comment
hellehllobyegood -- version 0000000000000000001 --comment
hello1           -- version 0000000000000000001 --comment

Get all keys

$ rucredstash keys
hello
hellehllobyegood
hello1

Delete a specific key

$ rucredstash delete hello
Deleting hello --version 0000000000000000001

Put a bunch of secrets (putall subcommand)

You can pass the input from a file using the special symbol @ to indicate that the data is fed from the file:

$ bat secrets.json
───────┬────────────────────────────────────────
       │ File: secrets.json
───────┼────────────────────────────────────────
   1   │ {
   2   │     "hello": "world",
   3   │     "hi": "bye"
   4   │ }
───────┴────────────────────────────────────────
$ rucredstash putall @secrets.json
hello has been stored
hi has been stored

You can also pass the data via stdin using the special operator -:

$ rucredstash putall -
{ "hello": "world" }
hello has been stored

Note that the passed data should be in json format. You press the Enter key to indicate that you have finished passing the data.

Also, you can also pass the data directly to it:

$ rucredstash putall '{"hello":"world","hi":"bye"}'
hello has been stored
hi has been stored
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].