Project

secrets_parser

0.0
Bugfix fork ofgeoip2_c
No release in over 3 years
Low commit activity in last 3 years
secrets_parserpeertransfer/secrets_parserHomepageDocumentationSource CodeBug TrackerWiki
Write a longer description or delete this line.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
25,295
Stars
1
Forks
1
Watchers
8
 Releases
Current version
0.2.0
Total releases
3
First release
2018-07-03
Latest release
2019-05-13
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
1
Merged Pull Requests
4
Pull Request Acceptance Rate
80%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2020-01-01
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 1.16
rake
~> 10
rspec
~> 3.0
 Project Readme

Secrets Parser

test

This gem parse the secrets reading a field in a JSON file, download the encrypted secrets file from S3 and change the values for the encrypted ones.

Usage

For using correctly this gem, we will need 4 basic things: a JSON file to parse, an S3 bucket and a JSON file encrypted with a AWS KMS key that will store the secret values.

JSON File to parse

This file is where there are going to be the references to the secrets in S3. Example:

{
    "variables": {
      "MY_SECRET": "secret:bucket_name/path:my_secret",
      "OTHER_SECRET": "secret:bucket_name/path:other_secret"
    }
}

The example has 2 secrets in it, these references have 3 parts:

  • secret: : This is needed to let the gem idetify that the value is a reference to a secret.
  • bucket_name/path : Path where is located the secret file, bucket_name + path, the extension of the file is inside the gem and it's json.encrypted, so in this case, there is a file in this bucket named secret-testing.json.encrypted.
  • :my_secret and :other_secret : That's the key that's inside the encrypted file.

This allow us to let the secret managers decide where to put those secrets

KMS Key

AWS KMS key used to encrypt the secrets and the S3 bucket where secrets are going to be stored.

S3 Bucket

Just a AWS S3 Bucket, it's recommended to have it encrypted at rest too with the same KMS key.

Encrypted JSON file

Here is where secrets are going to be stored, a simple JSON with all the keys and secrets. Example:

{
  "my_secret": "This is a secret weeee",
  "other_secret": "PINCODE: 12345"
}

After configuring it, encrypt it with:

aws kms encrypt --key-id $YOUR_KMS_KEY_ID --plaintext fileb://YOUR_FILE.json --output text --query CiphertextBlob | base64 --decode > YOUR_FILE.json.encrypted

After that, upload it to your S3 and copy the reference in your JSON.

Usage example

First, set the AWS credentials needed for accesing the S3 bucket and decrypting files.

Ruby example code:

#!/usr/bin/env ruby

require 'bundler/setup'
require 'secrets_parser'
require 'aws-sdk-s3'

file_json = './app.json' #Path to your json file to be parsed, now using the described in the example
field_to_parse = 'variables' # Field to parse

parser = Secrets::Parser.new
parser.set_config do |config|
  config[:s3_client] = Aws::S3::Client.new(region: ENV['AWS_DEFAULT_REGION'])
  config[:kms_client] = Aws::KMS::Client.new(region: ENV['AWS_DEFAULT_REGION'])
end

parsed_file = parser.parse(file_json, field_to_parse)

puts JSON.pretty_generate(parsed_file)

Output:

{
  "variables": {
    "my_secret": "This is a secret weeee",
    "other_secret": "PINCODE: 12345"
  }
}

Logging

To enable logging feature just configure :logger key injecting a logger that implements Logger interface.

Sample using ruby's Logger stdlib:

require 'secrets_parser'
require 'logger'

parser = Secrets::Parser.new
parser.set_config do |config|
  config[:logger] = Logger.new(STDOUT)
end