search

binxio / cfn-secret-provider

A CloudFormation custom resource provider for deploying secrets and keys
Apache License 2.0
141 stars 70 forks source link

Custom::RotatingSecret to generate primary/secondary secrets #37

Closed ragogitpub closed 11 months ago

ragogitpub commented 4 years ago

Hello

We are using this resource a lot.

What we wanted to do was to have primary and secondary secrets.

Encrypting code would always encrypt from primary secret, while decrypting code would first try primary and if it fails then secondary.

At a set interval then, we would

  1. move primary secret to secondary
  2. generate a new primary and store it in primary secret

This would allow us to have a rotating secret.

Would it be possible to enhance this to support something like Custom::RotatingSecret with (a) cron expression (b) primary ssm (c) secondary ssm ?

Thank you

mvanholsteijn commented 3 years ago

I totally missed this! Sorry. Why not use a secrets manager secret instead? It has all the mechanics of you need.