search

fugue / credstash

A little utility for managing credentials in the cloud
Apache License 2.0
2.06k stars 215 forks source link

Add --kms-region argument #268

Closed mike-luminal closed 4 years ago

mike-luminal commented 4 years ago

Resolves #257.

KMS Region

This PR adds a new top-level command-line argument, --kms-region.

Basic Usage

credstash --kms-region us-east-1 --region us-east-2 put secret1 secretvalue
credstash --kms-region us-east-1 --region us-east-2 putall '{"secret": "secretvalue"}'
credstash --kms-region us-east-1 --region us-east-2 get secret1
credstash --kms-region us-east-1 --region us-east-2 getall

This argument allows users to set the region from which the credstash KMS Key should be read separately from the region in which the credstash DynamoDB Table is stored. This allows credstash to be used with DynamoDB Global Tables with minimal AWS configuration.

Note that the KMS region can be specified for keys, list and delete, but is not used since KMS is not needed for those commands.

Saving the KMS Region

The KMS region can be saved by running credstash setup --save-kms-region REGION. This value is saved in ~/.credstash.

KMS Region Resolution Order

  1. --kms-region command-line argument
  2. Saved KMS region in ~/.credstash If the KMS region is not explicitly specified, it takes the value of region, following the normal order of precedence:
  3. --region command-line argument
  4. AWS_DEFAULT_REGION environment variable
  5. ~/.aws/config
  6. us-east-1 if no other region is specified

Library Usage

This PR adds a new keyword argument, kms_region, to getSecret, getAllSecrets, putSecret, and putSecretAutoVersion.