deleteSecret?

[doublemarked]

I see deleteSecret sitting there in lib/providers/aws.js. Why is it not exposed as a plugin command?

[doublemarked]

For anybody finding this in the future, here's the aws cli command to remove these keys:

aws ssm delete-parameter --name KEY_NAME

[franciscocpg]

@doublemarked

aws ssm delete-parameter KEY_NAME

thanks for the info. It helped me here.

But in fact the command is aws ssm delete-parameter --name KEY_NAME (at least using this aws cli version: aws-cli/1.14.6 Python/3.6.3 Linux/4.14.4-1-ARCH botocore/1.8.10)

Besides that I cannot understand why there isn't a secrets delete command.

[doublemarked]

@franciscocpg woops, you're totally right, not sure how I messed up that copy/paste.

And in general, you know I ditched this serverless-secrets module because of this and several other issues, like the lack of a working invoke local and the conflicts with Webpack. I found that recent versions of serverless will let you reference SSM variables directly in your serverless.yml file, and that was good enough for me: https://serverless.com/framework/docs/providers/aws/guide/variables/#reference-variables-using-the-ssm-parameter-store

[azurelogic]

I had originally excluded the delete functionality from the CLI for safety (making someone go to the web console requires much more intent), but if there's demand for it, then so be it. I'll add it in.

[azurelogic]

@doublemarked We proceeded with this plugin in spite of the SSM variable type in Serverless and the ability to reference SSM params from CloudFormation Parameters because neither properly supported end to end encryption as far as we have found. The Serverless SSM variables get decrypted before the template is uploaded, so the decrypted secret becomes part of the stack, making it visible to anyone with read access to CloudFormation. As for SSM params in CFN Parameters, we found that they don't support SecureStrings. So, we're still proceeding with this work.

[franciscocpg]

About https://github.com/trek10inc/serverless-secrets/issues/28#issuecomment-351553175

IMO it makes sense to have it.

Using aws-cli has the same effect.

Maybe a "are you sure want to delete key ${key}?" question before deleting would help.

[doublemarked]

@azurelogic yea no problem, I understand your motivation and recognize that drawback of the SSM variables in serverless config. For our use case this is not a concern and I found it an acceptable tradeoff for increased simplicity, but I recognize this is not the case for everybody.

Regarding delete - at minimum you should document the aws cli command to delete keys. serverless-secrets is completely abstracting the SSM access and somebody unfamiliar with how it all works will burn some time trying to chase it all down.

[azurelogic]

I appreciate the feedback. Delete has been added to the CLI. It may be a few days before I get the next beta out to NPM as I'd like to complete some other work with it. Thanks!