harp-aws

command module

v0.0.2 Latest Latest Go to latest Published: Jul 26, 2021 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/elastic/harp-plugins

Links

Open Source Insights

README ¶

Harp AWS

harp plugin that allows you to :

Generate an identity for sealing purpose using Envelope encryption with AWS KMS;
Recover AWS KMS protected identity to unseal a container;
Upload a secret container to S3.

Build

export PATH=<harp-repository-path>/tools/bin:$PATH
mage

Sample

Generate an AWS KMS protected identity

$ harp aws container identity \
  --description "AWS Recovery" \
  --key-arn "arn:aws:kms:eu-central-1:XXXXXXXXXXXX:key/XXXXXXXXXXXXXXXXXXXXXXX" \
  --out aws-recovery.json

If you take a look at the generated file :

{
  "@apiVersion": "harp.elastic.co/v1",
  "@kind": "ContainerIdentity",
  "@timestamp": "2020-11-02T16:41:11.298702Z",
  "@description": "AWS Recovery",
  "public": "WS_fATyjhyeyZld3oEUPmG2trrWoDUdhTVrQvfUeZno",
  "private": {
    "encoding": "kms:aws:RqfOCnUXIIP1u7BaYSANQ_81gY89UMKY-NB1-hvPNrc",
    "content" "ALgBAgIAeOENI.....lzs8Z0Vugsw_6HwNYVFyDY2ZFIGYR"
  }
}

It uses the same ContainerIdentity format as usual for passphrase or Vault transit encryption.

You can seal a container using this identity :

$ harp container seal
   --in unsealed.bundle \
   --identity $(cat aws.json | jq -r ".public") \
   --out sealed.bundle

Recover a secret container key

$ harp aws container recover \
  --key-arn "arn:aws:kms:eu-central-1:XXXXXXXXXXXX:key/XXXXXXXXXXXXXXXXXXXXXXX" \
  --identity aws-recovery.json
Container Key: ...

Upload a secret container to S3

Usual vault to s3 bucket with harp-server compatibility workflow with in-transit encryption (fernet used).

$ harp keygen fernet > psk.key
$ harp from vault
  --path app/production/security/cloud/v1.0.0
  | harp bundle encrypt --key $(cat psk.key) \
  | harp container seal \
    --identity-file aws-recovery.json \
    --no-container-identity
  | harp aws to s3 \
    --bucket-name harp-containers \
    --object-key sealed.bundle
Container successfully uploaded to: https://harp-containers.s3.eu-central-1.amazonaws.com/sealed.bundle

You could specify different endpoint (ex: IBM COS) :

$ harp aws to s3 \
  --in sealed.bundle \
  --access-key-id $IBM_ACCESS_KEY \
  --secret-access-key $IBM_SECRET_ACCESS_KEY \
  --bucket-name harp-containers-cos-standard-wsa \
  --endpoint s3.eu-de.cloud-object-storage.appdomain.cloud \
  --region eu-de \
  --object-key sealed.bundle
Container successfully uploaded to: https://harp-containers-cos-standard-wsa.s3.eu-de.cloud-object-storage.appdomain.cloud/sealed.bundle

Use recovery to export Recovery Container Key :

$ CONTAINER_KEY=$(harp aws container recover \
  --key-arn "arn:aws:kms:eu-central-1:XXXXXXXXXXXX:key/XXXXXXXXXXXXXXXXXXXXXXX" \
  --identity aws-recovery.json \
  --json | jq -r ".container_key")

Expose it using harp-server :

$ export SHUB_SERVER_KEYRING="[$CONTAINER_KEY]"
$ harp server http
  --namespace root:bundle+s3://harp-containers/sealed.bundle

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
internal
cmd
config
pkg
cloud/aws/session
tasks/container
tasks/to
value/encryption/envelope/awskms

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL