Manage secrets on AWS instances with KMS encryption, IAM roles and S3 storage.

aws-secrets requires aws-cli version 1.8 or later.

Installation:

git clone -o github https://github.com/promptworks/aws-secrets
cd aws-secrets
make install
# (or just copy `bin/*` to somewhere in your PATH)

Set up AWS resources for an application named quizzo:

aws-secrets-init-resources quizzo

Make some secrets, send them to the cloud and the AWS S3 bucket:

echo "SECRET=xyzzy" > quizzo-env
aws-secrets-send quizzo quizzo-env

Each send overwrites the existing secrets in the store.

Retrieve the secrets and print them to STDOUT:

aws-secrets-get quizzo

The last one can be run by:

• users in the quizzo-manage-secrets group
• programs on EC2 instances which have been started with the quizzo-secrets IAM profile

To start an EC2 instance with the quizzo-secrets IAM profile from the CLI:

aws ec2 run-instances ...--iam-instance-profile Name=quizzo-secrets

To start an ECS cluster with the quizzo IAM profile, select quizzo-secrets-instances from the Container Instance IAM Role selection on the Create Cluster screen. Or you could also start an ECS task with the quizzo IAM role by selecting it in your Task Definition.

This repository contains a handful of scripts:

• aws-secrets-init-resources
• aws-secrets-send
• aws-secrets-get
• aws-secrets-run-in-env
• aws-secrets-purge-resources

They can be used to set up and maintain a file containing environment variables which can then be used by an application running on an Amazon EC2 instance. They can also be used when running an application in a docker container on an EC2 instance.

aws-secrets-init-resources creates the following AWS resources:

• A customer master key (CMK).
• An alias for the key.
• An S3 bucket.
• A few roles to be used by an instance profile: one for S3 access, one for decryption with the CMK.
• A group with access policies to get/put to S3 and encrypt/decrypt with the CMK.

aws-secrets-send takes an app name and a filename as input and uses the CMK to encrypt it, then sends it to an object in the S3 bucket.

aws-secrets-get take an app name as input, and uses it to construct the name of the S3 bucket and object. It then retrieves and decrypts the file and prints it to stdout.

If the file contains lines of the form:

X=yyyy

then exporting the output will put those variables into the current environment. i.e.

export `aws-secrets-get quizzo`

aws-secrets-run-in-env is a short script that does the above and then executes another program, with its arguments.

aws-secrets-purge-resources removes the resources associated with this app which were created by aws-secrets-init-resources.

To use this in a docker file, add a line like this:

CMD ["aws-secrets-run-in-env", "quizzo", "start-quizzo"]

where "quizzo" is the name of your app, and "start-quizzo" is the script that starts the app.

• These scripts depend on having the AWS CLI installed. (See references below)

• Changing AWS_DEFAULT_REGION (or the aws-cli configuration) will effect the region used for API calls.

• Changing AWS_SECRETS_BUCKET_REGION will specify the region in which the S3 bucket is created.

• https://www.promptworks.com/blog/handling-environment-secrets-in-docker-on-the-aws-container-service
• http://docs.aws.amazon.com/cli/latest/userguide/installing.html
• https://gist.github.com/themoxman/1d137b9a1729ba8722e4