Skip to content

An utility for managing secrets from Secret Manager on the CLI

Notifications You must be signed in to change notification settings

civicteam/reliquary

Repository files navigation

Reliquary

Summary

This is an auxiliary tool to manage secrets in AWS Secrets Manager

It fetches the latest version of a secret and stores it locally to be edited.

The secrets can also be updated via the tool. The tool assumes the secrets are in JSON form, and performs validation before uploading. This avoids common errors when editing secrets directly in the AWS console.

Do not update the secrets by AWS Console it is prone to errors!

This tool automatically adds to the .gitignore an .secrets to avoid pushing the folder to GIT

Usage

You must have NodeJS 8 or superior installed on your machine.

The commands are:

Fetching secrets

npx reliquary --fetch-secrets -n <secret-name>

Fetching secrets with different region

npx reliquary --fetch-secrets -n <secret-name> -r <region>

Updating secrets by reading an local file

npx reliquary --update-secrets -n <secret-name> -p <path>

Listing versions of stored secrets, exhibits by default the last 10 records

npx reliquary --list-secrets

This should return something like this:

{ Versions: 
   [ { VersionId: '1d7ea461-066d-4e78-9c97-ccbbf27ba660',
       LastAccessedDate: '2019 - 05 - 13 T00: 00: 00.000 Z',
       CreatedDate: '2019 - 05 - 13 T13: 36: 40.566 Z' } ],
  NextToken: 'AAGWzGu7c3fnjy994XFY80EKjACAkQA3jPXB5sokoh0+PEQgQ+UY7OiiU0yt2WIfHhNLenRUW7cy1X+okG6qkgsEBvqO3kxmm7tzq+awLyWUPVF4wbmXVYdxYHXyiMMzGlR884DfhX3uYJU35BAAAXTkB6pAu5c2U71zGAskNco34Ev1O7GBIPqV56qjBXpWp1n6AAIUDPxgdfz2CkzbN21ZPO48aHkA4OTAyZmriB26wTerot72pgLSS6ze+3RZzk0BdFU/jmXO54g3b/GQetQKBD2X2CCvUfu6zo92gaar',
  ARN: 'arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>',
  Name: 'example' }

Check the CreatedDate and with the VersionId in hands, you can do the rollback with:

npx reliquary --rollback-secrets -n <secret-name> -i 5617687a-763b-4301-bb23-bda7dd49c3fe

CLI Options

-f, --fetch-secrets

Operation to fetch the secrets

The "AWSCURRENT" version is downloaded and stored at .secrets/current.json

-u, --update-secrets

Operation to update the secrets

A local backup is stored at .secrets/<secret-version-id>.json. The contents of .secrets/current.json are then uploaded to AWS.

-r, --region [value]

Parameter to set AWS Region, it is optional and defaults to us-east-1

-n, --secret-name [value]

The secret name on Secrets Manager

-p, --secret-path [value]

The secret file path containing the value of the secrets, this is required when using update

-v --verbose

The log is output in debug mode, with more information

-i --secret-version-id [value]

The secret version id, use list to show possible values, when using rollback this is required

About

An utility for managing secrets from Secret Manager on the CLI

Resources

Code of conduct

Stars

Watchers

Forks

Packages

No packages published