config

command
v0.0.0-...-56b8a88 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 24, 2019 License: MIT Imports: 8 Imported by: 0

README

opolis-deployer-config

opolis-deployer-config is a simple CLI interface for reading and writing encrypted AWS SSM parameters.

Install

$ ./install.sh

This will fetch the latest compiled binary from the Fabrik release on GitHub. It does a fairly rudimentary job of checking which OS you are running, but defaults to Linux.

To check the installation, run $ opolis-deployer-config if you allowed saving to /usr/local/bin, otherwise, run it from this directory.

Usage

Options

--profile NAME

Use the profile NAME set in $HOME/.aws/credentials. If this option is not set, opolis-deployer-config will try to read the access and region configuration from the environment. The conventions and variable names are the same as the aws-cli tool. See the docs for more detail.

read

Read an encrypted value from SSM. The current profile must have access to the KMS key used to write the value.

$ opolis-deployer-config read my.parameter.name

Multiple parameters may be fetched at once. Output will be one value per line, in the order they were requested.

$ opolis-deployer-config read my.first.parameter my.second.parameter ... my.nth.parameter

WARNING: This writes decrypted values to stdout. Be aware of this when using in a service runtime context.

In a service context where stdout is logged, it is recommended to read the decrypted value into an environment variable.

MYVAR=$(opolis-deployer-config read my.secret)
write

Write an encrypted value to SSM. The current profile must have access to use the given KMS key for encryption. Arguments are pairs of parameter-name kms-key-id. For every pair given, a prompt is show where you can paste the desired value.

$ opolis-deployer-config write my.first.parameter 1234-my-kms-key-id ... my.last.paramter 5678-my-kms-key-id

Input is similar to password input, that is, you will not see the value provided echoed back out to the terminal.

Using with Fargate

When including this tool in a Fargate service, the service must have the following IAM statements included in its role policy.

...
{
    "Effect": "Allow",
    "Action": "ssm:GetParameters",
    "Resource": [
        "arn:aws:ssm:*:*:parameter/<SSM parameter name, e.g. prod.myapp.secret>"
        ( add other parameters as necessary )
    ]
},
{
    "Effect": "Allow",
    "Action": "kms:Decrypt",
    "Resource": "arn:aws:kms:*:*:key/<SSM key id>"
}
...

where <SSM key id> is the UUID of the encryption key you chose when writing the value to SSM.

Be sure to assign your IAM task roles to the Task Definition like so,

"ExecutionRoleArn": { "Fn::GetAtt": [ "ECSTaskRole", "Arn" ] },
"TaskRoleArn": { "Fn::GetAtt": [ "ECSTaskRole", "Arn" ] },

Also, set the default region environment variable in the service's task defintion to match the region where the SSM value exists. This is used by the AWS SDK inside this utility.

"ContainerDefinitions": [{
    ...
    "Environment": [
        { "Name": "AWS_DEFAULT_REGION", "Value": { "Ref": "AWS::Region" } },
        ...
    ],
    ...

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.