awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
530 stars 182 forks source link

Expand the Options for storing the sensitive parameters to include binaray secrets and SSM Parameter Store #180

Open ChrisPates opened 8 months ago

ChrisPates commented 8 months ago

Is your feature request related to a problem? Please describe. Currently sensitive configuration data must be stored in AWS Secrets Manager secrets, however for some customers using SSM Parameter Store may be sufficient (since they do not need cross account/cross region support) and wish to reduce the operating cost of the SSOSync deployment.

Describe the solution you'd like Add detection for and support of SSM parameter store secrets and binary secrets in Secrets Manager.

Additional context Requests originally raised under the following issues:

dancorne commented 8 months ago

Hey @ChrisPates, I'd opened https://github.com/awslabs/ssosync/issues/130 because it looked like binary secrets should work, however I believe the logic is buggy there. It was easy enough for us to switch to a string secret to fix our syncing, but also the bugfix is fairly trivial so thought I'd open a PR. If you've got wider refactoring plans for this code this might not be needed though, happy to close that PR off if so.

ChrisPates commented 8 months ago

So other folk have expressed a desired for Sam Parma store support and even raw env Vars. 

Leave the PR for now, I’ll have a look and it may still be used as part of the broader piece of work. Message ID: @.***>