Feature Requests - Option to specify KMS Key, KMS Key context values and Write Secrets too - Githubissues

sspinc / terraform-provider-credstash

Terraform provider for secrets stored with credstash

MIT License

68 stars 35 forks source link

Feature Requests - Option to specify KMS Key, KMS Key context values and Write Secrets too #17

Closed vikas027 closed 5 years ago

vikas027 commented 5 years ago

It would be great to have an option to specify KMS Key, KMS Key context values and write secrets too :)

In credstash, we can do the same as below

$ credstash -t my-table put -k alias/my-alias my-token yyyyxxxxxe app=something

tmichel commented 5 years ago

This feature request is essentially the same as #2. So I'm closing it as a duplicate.

The provider can decode secrets using whatever KMS key you prefer and contexts as well. It does not support creating secrets and I don't have an immediate plan to support that.

vikas027 commented 5 years ago

Hey @tmichel ,

Can you please share an example of how/where we can specify a custom KMS key and contexts?

tmichel commented 5 years ago

The key that is used to encrypt the plain text content is stored in the DynamoDB table so that is readily available and it is used to decrypt the content. The context can be specified for every data source:

data "credstash_secret" "rds_password" {
    name = "rds_password"
    context = {
        foo = "bar"
    }
}

When you store a secret with

credstash -t my-table put -k alias/my-alias my-token yyyyxxxxxe app=something

Then the following should work to access that secret:

data credstash_secret" "my-token" {
  name = "my-token"
  table = "my-table"
  context = {
    app = "something"
  }
}