Versent / unicreds

unicreds is a CLI which manages secrets in AWS using DynamoDB and KMS.
https://github.com/Versent/unicreds
MIT License
117 stars 39 forks source link

Full ARN for KMS and DynamoDB Table #68

Open shleeable opened 7 years ago

shleeable commented 7 years ago

Hey Team,

I'm considering the option of the creation of a shared/common credstash and as such require cross-account ARNs. Unless there is a smarter way of doing this.

note: I know you can grant aliases to KMS keys cross account - but i'd rather just use the full path for my usecase.

bacoboy commented 7 years ago

You can use cross account roles with the AssumeRole (#70) support recently added to administrate across different accounts. But in this case you want to share the storage AND keys between accounts.

Generally it is frowned upon to share KMS keys across account. This is why things like encrypted volumes/snapshot can't be shared across account for instance.

I manage multiple accounts with credstash stores and each has their own store. Use something like terraform to manage the policies and such for consistently between accounts.

You do it how you want, but if you want a central store for all secrets, you should look at something outside of IAM (that is avail on private network) like vault, chef encrypted data bags, etc...