0.02
No release in over 3 years
Low commit activity in last 3 years
Ruby AWS Secrets Manager interface. Allows for env specific secrets, in-memory caching with custom TTL, file storage, and simple API.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 2.0
~> 10.0
~> 3.0

Runtime

 Project Readme

SecretsManager.rb

Installation

Add this line to your application's Gemfile:

gem 'secrets-manager'

And then execute:

$ bundle

Or install it yourself as:

$ gem install secrets-manager

Usage

To use this gem, you must have an AWS account and permissions to setup secret values using Secrets Manager

This gem makes assumptions and has requirements about how you should be storing your secrets.

Path Name

This gem uses the concept of env specific secrets within the same account. While separate AWS accounts can be used to maintain separation, it can be desirable to use a single account.

The path format is as follows: {{secret_env}}/{{secret_path}}. When using this gem you would leave the secret_env out of your request.

For example, to access the secret twlio-key, $secrets.fetch('twilio-key'). This would be stored in AWS SM as dev/twilio-key.

If you would like to define a secret that is available in all envs, you can prefix your lookup with global and the secret_env will not be prependded to the request.

For example: to access the secret global/config/foo, $secrets.fetch('global/config/foo'). This would be stored in AWS SM as global/config/foo.

Payload

This gem expects your secret value to be a JSON object. The only required key is value. The following keys are optional:

  • ttl - Time to live in seconds. Describes how long the secret should live in in-memory cache.
  • encoding - Currently, only base64 is supported as a value. If your value is base64 encoded, this will result in a returned secret that is base64 decoded.
  • type - Currently, only json is supported as a value. If your value is valid JSON, this will result in a returned secret that is symbolified ruby hash.

Example:

{"value": "secretvalue", "ttl": 60} // Will live in cache for 60 seconds.
{"value": "c2VjcmV0dmFsdWU=", "ttl": 60, "encoding": "base64"} // Will live in cache for 60 seconds and is base64 encoded. Result will be "secretvalue"

Configuration

The follow ENV vars are expected:

  • AWS_SECRETS_ENV - preceeds all path lookups, ex: dev, staging, qa, production
  • AWS_SECRETS_KEY - AWS IAM access key
  • AWS_SECRETS_SECRET - AWS IAM access secret

The manager should be created at boot time, in an initializer for example, and stored as a constant or global.

$secrets = SecretsManager.new

Lookup

$secrets.fetch('services/twilio/api-key')
$secrets['services/twilio/api-key']

To use a secret that is available in all envs, prepend the secret name with global

$secrets['global/config/api-key']

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/secrets-manager.