AWS S3 object as a secret source

[hongkongkiwi]

I'd like to use novops to load PEM certificates as well as other more secret things (stored in secrets store). The PEM certificates are stored in S3 rather than parameter store as it's easier to manage them this way.

Would it be possible to add an S3 plugin which can pull a file from S3 and load it as a file on disk or contents as an environment variable? This would be a really fantastic feature addon!

[PierreBeucher]

Hi there, thanks for suggesting this improvement ! That's definitely possible, and should be relatively straightforward since most AWS boilerplate code is already present.

We're talking about something like this, right?

environments:
  dev:
    variables:
      - name: S3_OBJECT_AS_VAR
        value:
          aws_s3_object:
            bucket: my-bucket
            key: path/to/cert.pem
            # ... other S3 get object param

    files: 
      - variable: S3_OBJECT_AS_FILE
        content:
          aws_s3_object:
            bucket: my-bucket
            key: path/to/cert.pem
            # ... other S3 get object param

I suppose your object may be encrypted as well considering the use case ?

[hongkongkiwi]

Yup, exactly right.

Encryption is a nice to have and I would consider to store more sensitive data in S3 if this feature if available, but for my initial use case it's not necessary.

I'm storing signed certificates only, so in a sense it's not secret data. For the private keys which are sensitive data, I'm using something like this which allows me to use KMS keys locally in the same way you would normally use key files this way it's much more secure from comprimise as it's impossible to copy the keys.

[PierreBeucher]

Great, let's start with something like this then, I'll keep you posted

[PierreBeucher]

Incoming ! https://github.com/PierreBeucher/novops/pull/114

[PierreBeucher]

Solved with https://github.com/PierreBeucher/novops/pull/114 and released with 0.15.0. Let me know how it goes for you so we can close this issue ;)