Store secrets in AWS Parameter Store.
This tool treats Amazon Web Services Parameter Store as a repository for secrets. Simple strings, encrypted strings (with KMS keys) and string lists are supported there, and this tool helps set and retrieve them more conveniently.
If you have Go v1.17 or later installed:
go install github.com/grimdork/awsec@v0.11.1
Or just clone the project with git clone git@github.com:grimdork/awsec.git if you want to contribute.
Download a suitable package from the official package page.
If you have Homebrew installed on macOS or Linux:
brew tap grimdork/tools
brew install grimdork/tools/awsec
Everything needed to make aws-cli run should already be set up. If your company uses Parameter Store, you probably also use AWS tools. You need two comfiguration files at minimum:
- ~/.aws/config
- ~/.aws/credentials
Check AWS documentation for specifics.
The simplest invocation lists all secrets in your configured AWS account:
awsec ls
This lists every secret in the configured parameter store.
You can also specify the beginning portion of keys to narrow down the list:
awsec ls secrets/internal
NOTE:
- Parameter Store requires keys to start with a slash. This tool adds it automatically when missing, where it makes sense.
- Keys your IAM user doesn't have access to may still be listed. You still can't fetch their contents.
- You can create policies to set up path-based permissions, limiting certain paths to be accessible only to some users. For instance, you may have a policy for "/secrets*" and another for "/admin*", and users with access to only one can't create or get values starting with the other path. See AWS documentation on IAM policies and groups for further reference.
awsec get secrets/internal/dbpasswords
retrieves a parameter named /secrets/internal/dbpasswords from the Parameter Store, provided that you have permission to do so.
awsec set secrets/internal/testpw 123456 -s
sets the key secrets/internal/testpw to 123456 and flags it as secure, which enables AWS KMS encryption.
You can also set string lists (comma-separated values):
awsec set secrets/internal/var-list one,1,two,2 -l
This sets four values, which well be presented in pairs when you use get. This is useful for small configuration files. Technically it's also usable for password lists, but if you want the maximum security use Securestring and split them up.
The -d flag allows you to set a description for a key:
awsec set -d "This key is a test." secrets/test "This is the test key's value."
Finally, it's also possibly to set a key value from a file:
awsec set -f secrets/ssh/prod-web prod-web.pem
puts the contents of the file prod-web.pem into the key secrets/ssh/prod-web.
AWS allows keys to have tags in addition to descriptions. Tags are used for many things, including filtering billing information. For example:
awsec tag secrets/ssh/prod-web -t customer=internal
This command updates the secret secrets/ssh/prod-web and sets the tag customer to internal.
NOTE: Each AWS resource can have a maximum of 50 tags.
You can rename a key (sort of) like this:
awsec rename secrets/ssh/prod-web secrets/ssh/prod-old-web
This copies the contents of secrets/ssh/prod-web to a key named secrets/ssh/prod-old-web and deletes secrets/ssh/prod-web.
NOTE: If removal fails because of lacking permissions, you may end up with a duplicate key. Check policies if this happens.
awsec rm secrets/ssh/prod-web
removes the key secrets/ssh/prod-web, asking to confirm. Use the -f flag to skip the question.