GithubHelp home page GithubHelp logo

hush_aws_secrets_manager's Introduction

AWS Secrets Manager Hush Provider

Build Status Coverage Status hex.pm version hex.pm downloads

This package provides a Hush Provider to resolve Amazon Web Services's Secrets Manager secrets.

Documentation can be found at https://hexdocs.pm/hush_aws_secrets_manager.

Installation

The package can be installed by adding hush_aws_secrets_manager to your list of dependencies in mix.exs:

def deps do
  [
    {:hush, "~> 1.0"},
    {:hush_aws_secrets_manager, "~> 1.0.0"}
  ]
end

This module relies on ex_aws to talk to the AWS API. As such you need to configure it, below is an example, but you can read alternative ways of configuring it in their documentation.

As the provider needs to start ex_aws application, it needs to registered as a provider in hush, so that it gets loaded during startup.

# config/config.exs

alias Hush.Provider.AwsSecretsManager

config :ex_aws,
  access_key_id: [{:system, "AWS_ACCESS_KEY_ID"}],
  secret_access_key: [{:system, "AWS_SECRET_ACCESS_KEY"}]

# ensure hush loads AwsSecretsManager during startup
config :hush,
  providers: [AwsSecretsManager]

AWS Authorization

In order to retrieve secrets from AWS, ensure the service account you use has a similar policy as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
        "arn:aws:secretsmanager:<region>:<account>:secret:<secret-name>",
        "arn:aws:secretsmanager:us-east-1:000000000000:secret:config/password-MzBAO2"
      ]
    }
  ]
}

Usage

The following example reads the password and the pool size for CloudSQL from secret manager into the ecto repo configuration.

# config/prod.exs

alias Hush.Provider.AwsSecretsManager

config :app, App.Repo,
  password: {:hush, AwsSecretsManager, "CLOUDSQL_PASSWORD"},
  pool_size: {:hush, AwsSecretsManager, "ECTO_POOL_SIZE", cast: :integer, default: 10}

License

Hush is released under the Apache License 2.0 - see the LICENSE file.

hush_aws_secrets_manager's People

Contributors

gordalina avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

techgaun

hush_aws_secrets_manager's Issues

Support secrets other than in json format

AWS secrets manager does not mandate JSON or key-value pair value for the secrets value (although recommended). However, in the implementation, there's explicit json decoding at https://github.com/gordalina/hush_aws_secrets_manager/blob/a76776d/lib/provider.ex#L33

This causes issues with cases where one would like to store non-json values such as plaintext string or TOML, etc. Is it possible to remove that or support passing a custom function to execute for parsing/decoding instead?

A better approach might be to just retrieve the data in provider and not handle the data format at all. The transformers then can be implemented to handle the data accordingly.

Cache secrets

I have the following configuration (with an custom transformer):

config :ueberauth,
       Ueberauth.Strategy.Microsoft.OAuth,
       client_id: {
         :hush,
         Hush.Provider.AwsSecretsManager,
         "xxx",
         [json_auth_azure: "client_id"]
       },
       client_secret: {
         :hush,
         Hush.Provider.AwsSecretsManager,
         "xxx",
         [json_auth_azure: "client_secret"]
       },
       tenant_id: {
         :hush,
         Hush.Provider.AwsSecretsManager,
         "xxx",
         [json_auth_azure: "tenant_id"]
       }

It's one secret with a json structure that contains 3 keys. It would be nice if the Hush caches the secret that I don't need to call 3 times AWS.

Or is there another solution to obtain that?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.