fugue / credstash

A little utility for managing credentials in the cloud
Apache License 2.0
2.06k stars 214 forks source link

Credstash 1.17.1 `putall` doesn't overwrite existing secrets resulting in versioned secrets not being updated #311

Open sbarrick opened 3 months ago

sbarrick commented 3 months ago

We have an existing credstash implementation at AWS in us-east-1 using credstash 1.17.1. An initial import (generated by credstash getall -f) allows us to putall into our DR credstash implementation in us-west-2, which works fine for the initial population and secret additions. Using credstash putall:

credstash -r us-west-2 putall @credstash_backup.json

However if the credstash entry already exists in the destination, credstash returns the error An error occurred (ConditionalCheckFailedException) when calling the PutItem operation: The conditional request failed. This not an issue for secrets that are unchanged and already exist in the DR destination region, but if the secret is versioned the same error is produced and no update occurs for that secret.

Can Credstash be updated so that instead of this error the entry is overwritten, or imports of newer version of secrets are accepted?

Alternately, is there a better way to handle multiple-region Credstash support for implementations that are already in production use? Based on https://github.com/fugue/credstash/issues/257 it sounds like if we were building a new implementation, we could use a global dynamodb table and a Multi-Region KMS key, but it's unclear to us what modifications we could safely make for an existing credential-store table with encryption by a Single-Region KMS key in active production use.