README
¶
secrets
This is a demonstration package for accessing secured secrets from AWS SSM. Secrets should be created by an external service such as binxio's secret-provider. Access to these secrets should be restricted by read only IAM policies.
This package demonstrates how one could structure a secrets manager that allows for ease of development by substituting a secret store with environment variables (for running tests).
Usage
env := os.Getenv("APP_ENV")
region := os.Getenv("APP_REGION")
s := secrets.SecretsCache(env, region)
password, err := s.Password()
if err != nil {
log.Fatalf("failed to get password: %v\n", err)
}
Running the example locally:
- make buildexample
- docker run --name secrets -p 8000:8000 service:latest
Running the example in AWS:
Build the docker container (make buildexample) and push to ECR. Ensure you have secrets configured via the binxio secret-provider. You'll need to create an ECS task (and cluster) with a policy similar to:
ServicePassword:
Type: Custom::Secret
Properties:
Name: /some/${EnvironmentName}/password
KeyAlias: alias/aws/ssm
Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Length: 30
ReturnSecret: true
ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'
ServiceLogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 30
LogGroupName: !Sub "${EnvironmentName}-service"
ServiceReadSSMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: "ecs-tasks.amazonaws.com"
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: !Sub "${EnvironmentName}-service-read-password"
PolicyDocument:
Statement:
- Effect: Allow
Action:
- "ssm:Describe*"
- "ssm:Get*"
- "ssm:List*"
Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/some/${EnvironmentName}/password"
ServiceTaskDefinition:
Type: AWS::ECS::TaskDefinition
DependsOn: ["ServicePassword"]
Properties:
Family: service
TaskRoleArn: !GetAtt 'ServiceReadSSMRole.Arn'
NetworkMode: bridge
ContainerDefinitions:
- Name: service
Image: FILL-ME-IN.dkr.ecr.us-east-1.amazonaws.com/service:latest
Memory: 128
Essential: true
PortMappings:
- ContainerPort: 8000
Protocol: tcp
Environment:
- Name: APP_ENV
Value: !Sub "${EnvironmentName}"
- Name: APP_REGION
Value: !Ref "AWS::Region"
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Sub "${EnvironmentName}-service"
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: 'service'
ServiceDaemon:
Type: AWS::ECS::Service
Properties:
ServiceName: 'service'
Cluster: !Sub "${EnvironmentName}-cluster"
TaskDefinition: !Ref 'ServiceTaskDefinition'
SchedulingStrategy: 'DAEMON'
The above IAM policy restricts the ECS task to only being able to read the /some/environment/password SSM value.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSSecrets ¶
type AWSSecrets struct {
Region string
// contains filtered or unexported fields
}
AWSSecrets retrieves secrets from AWS Parameter Store
func NewAWSSecrets ¶
func NewAWSSecrets(region string) *AWSSecrets
NewAWSSecrets returns an instance with optional region specified, otherwise uses us-east-1
func (*AWSSecrets) GetSecureParameter ¶
func (s *AWSSecrets) GetSecureParameter(key string) ([]byte, error)
GetSecureParameter retrieves the parameter specified by key, or error otherwise.
func (*AWSSecrets) SetSecureParameter ¶
func (s *AWSSecrets) SetSecureParameter(key, value string) error
SetSecureParameter sets the value for the specified key in AWS SSM. It is recommended you do not set parameters from code but from your cloudformation/ deployment processes instead.
type EnvSecrets ¶
type EnvSecrets struct {
}
EnvSecrets retrieves secrets from environment variables
func (*EnvSecrets) GetSecureParameter ¶
func (s *EnvSecrets) GetSecureParameter(key string) ([]byte, error)
GetSecureParameter retrieves the env variable specified by key, or error otherwise.
func (*EnvSecrets) SetSecureParameter ¶
func (s *EnvSecrets) SetSecureParameter(key, value string) error
SetSecureParameter sets the value for the key specified by environment variable
type Secrets ¶
type Secrets interface {
// GetSecureParameter retrieves the value from our secure parameter store
GetSecureParameter(key string) ([]byte, error)
// SetSecureParameter sets the value for the key in our secure parameter store
SetSecureParameter(key, value string) error
}
Secrets interface for securely or locally accessing secrets
type SecretsCache ¶
type SecretsCache struct {
Region string
Environment string
// contains filtered or unexported fields
}
SecretsCache for accessing cached/stored secrets
func NewSecretsCache ¶
func NewSecretsCache(env, region string) *SecretsCache
NewSecretsCache returns an instance for acquiring the secrets from either local env vars or AWS
func (*SecretsCache) GetSecureString ¶
func (s *SecretsCache) GetSecureString(key string) (string, error)
GetSecureString allows caller to provide the full key to return a string value
func (*SecretsCache) Password ¶
func (s *SecretsCache) Password() (string, error)
Password retrieves the password from our secrets implementation. Additional methods can be added to SecretsCache for ensuring uniform access.
func (*SecretsCache) SetSecureParameter ¶
func (s *SecretsCache) SetSecureParameter(key, value string) error
Source Files
Directories