We have an existing credstash implementation at AWS in us-east-1 using credstash 1.17.1. An initial import (generated by credstash getall -f) allows us to putall into our DR credstash implementation in us-west-2, which works fine for the initial population and secret additions. Using credstash putall:
However if the credstash entry already exists in the destination, credstash returns the error An error occurred (ConditionalCheckFailedException) when calling the PutItem operation: The conditional request failed. This not an issue for secrets that are unchanged and already exist in the DR destination region, but if the secret is versioned the same error is produced and no update occurs for that secret.
Can Credstash be updated so that instead of this error the entry is overwritten, or imports of newer version of secrets are accepted?
Alternately, is there a better way to handle multiple-region Credstash support for implementations that are already in production use? Based on https://github.com/fugue/credstash/issues/257 it sounds like if we were building a new implementation, we could use a global dynamodb table and a Multi-Region KMS key, but it's unclear to us what modifications we could safely make for an existing credential-store table with encryption by a Single-Region KMS key in active production use.
We have an existing credstash implementation at AWS in
us-east-1using credstash1.17.1. An initial import (generated bycredstash getall -f) allows us toputallinto our DR credstash implementation inus-west-2, which works fine for the initial population and secret additions. Usingcredstash putall:credstash -r us-west-2 putall @credstash_backup.jsonHowever if the credstash entry already exists in the destination, credstash returns the error
An error occurred (ConditionalCheckFailedException) when calling the PutItem operation: The conditional request failed. This not an issue for secrets that are unchanged and already exist in the DR destination region, but if the secret is versioned the same error is produced and no update occurs for that secret.Can Credstash be updated so that instead of this error the entry is overwritten, or imports of newer version of secrets are accepted?
Alternately, is there a better way to handle multiple-region Credstash support for implementations that are already in production use? Based on https://github.com/fugue/credstash/issues/257 it sounds like if we were building a new implementation, we could use a global dynamodb table and a Multi-Region KMS key, but it's unclear to us what modifications we could safely make for an existing
credential-storetable with encryption by a Single-Region KMS key in active production use.