cookbook 'aws-kms', '~> 0.0.1'
aws-kms (1) Versions 0.0.1 Follow1
Provides a resource to decrypt secrets from AWS KMS
cookbook 'aws-kms', '~> 0.0.1', :supermarket
knife supermarket install aws-kms
knife supermarket download aws-kms
aws-kms cookbook
Description
This library cookbook gives you a simple workflow for encrypting secrets with AWS kms and then using chef to decrypt and store them on an instance.
The cookbook includes a thorfile to encrypt your secrets into .crypt files, and a chef LWRP to decrypt all .crypt files in a folder.
Additionally the readme is going to advise you which IAM roles you should assign an instance to run this without keys.
The idea
Managing secrets is hard. Chef encrypted data bags are not ideal, and are reasonably hard to manage. Chef vault has overheads... So this is where KMS steps in.
KMS enables you to create a private key in amazon, and control access to it. You can then call the API to encrypt and decrypt data, if you have access privileges to that key.
Therefore, you can:
- Encrypt all your data into files using a key
- Bake the files into your amazon AMIs (or drop them off via scp, user data, code deployment etc) and make sure they are owned by root...
- Boot instances with an IAM role that can access a specific key to decrypt the files
- Run chef to read all the files, decrypt them, and put them in a safe place on disk.
This means two things:
- You must be on a machine with an IAM role to access the key
- You must have root access to access the encrypted files
Effectively, you have to compromise the box and get root to get the encrypted secrets, which if that has happened, it's probably already game over.
Usage
There is an example fixture cookbook in fixtures/cookbooks/default
it will show you how to use it as below.
aws_kms 'default' do
crypt_folder = '/etc/chef/crypt'
decrypt_folder = '/etc/chef/private'
end
Properties
-
crypt_folder
- Where your collection of .crypt folders are stored, this could be in a cookbook, or baked into your ec2 image, or dropped on the box some other way. String. -
manage_crypt_folder
- Create and ensure permissions on folder. Boolean -
decrypt_folder
- The location to decrypt the files to. String -
manage_decrypt_folder
- Create and ensure permissions on folder. Boolean
Tests
chef exec rake test
chef exec kitchen test
Thorfile
This is going to encrypt your files for you and append a .crypt extension to the resulting files, its then upto you to put them somewhere (your cookbook, your instance etc.)
not yet implemented
Requirements
The chefdk
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Collaborator Number Metric
0.0.1 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.0.1 failed this metric
FC066: Ensure chef_version is set in metadata: aws-kms/metadata.rb:1
FC069: Ensure standardized license defined in metadata: aws-kms/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.0.1 passed this metric
Testing File Metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.0.1 failed this metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.0.1 failed this metric
FC066: Ensure chef_version is set in metadata: aws-kms/metadata.rb:1
FC069: Ensure standardized license defined in metadata: aws-kms/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.0.1 passed this metric
Testing File Metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.0.1 failed this metric
FC069: Ensure standardized license defined in metadata: aws-kms/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
0.0.1 passed this metric
Testing File Metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.0.1 failed this metric
0.0.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number