Rucredstash is a Rust port of CredStash
It uses a combination of AWS Key Management Service (KMS) and DynamoDB to store secrets. This is needed when you want to store and retrieve your credentials (like database password, API Keys etc) securely. A more detailed tutorial is here.
This package offers the interface via both CLI and an library way of accessing it.
``` shellsession $ rucredstash --help rucredstash 0.4 Sibi Prabakaran A credential/secret storage system
USAGE: rucredstash [OPTIONS] [SUBCOMMAND]
FLAGS: -h, --help Prints help information -V, --version Prints version information
OPTIONS:
-a, --arn SUBCOMMANDS:
delete Delete a credential from the store
get Get a credential from the store
getall Get all credentials from the store
help Prints this message or the help of the given subcommand(s)
keys List all keys in the store
list List credentials and their versions
put Put a credential from the store
setup setup the credential store
``` See Github releases: https://github.com/psibi/rucredstash/releases Executables are available for all the three major platforms: Linux, Windows and MacOS. For The most simple case is to export the proper environment variable and use it: Note that Note that the MFA functionality isn't present in the original
credstash program (the Python program). You can also use programs like
aws-env
and use this tool. Example: You can also use the encryption context associated with the
credential: Or even multiple encryption contexts: Now let's also try to retrieve using the encryption context: And using multiple encryption context: You can get that in other formats too:~/.aws/config. As a last resort, it will use us-east-1
-t, --table DynamoDB table to use for credential storage. If not specified, credstash will use
the value of the CREDSTASHDEFAULT_TABLE env variable, or if that is not set, the
value
credential-store will be used
Installation
Infrastructure Setup
rucredstash to work, you need to setup the following AWS
infrastrucutre:
Usage Examples
Different way of passing AWS Credentials
shellsession
$ export AWS_ACCESS_KEY_ID=xxxx
$ export AWS_SECRET_ACCESS_KEY=xxxx
$ rucredstash list
hello -- version 0000000000000000001 --comment
hellehllobyegood -- version 0000000000000000001 --comment
hello1 -- version 0000000000000000001 --comment
rucredstash by default uses
DefaultCredentialsProvider,
so your credentials will be based on that. But it even allows other
complex usage scenarios:shellsession
$ export AWS_ACCESS_KEY_ID=xxxx
$ export AWS_SECRET_ACCESS_KEY=xxxx
$ rucredstash --arn arn:aws:iam::786946123934:role/admin --mfa_serial arn:aws:iam::786946123934:mfa/sibi --region us-west-2 list
Enter MFA Code: xxxxx
hello -- version 0000000000000000001 --comment
hellehllobyegood -- version 0000000000000000001 --comment
hello1 -- version 0000000000000000001 --comment
shellsession
$ aws-env rucredstash list
hello -- version 0000000000000000001 --comment
hellehllobyegood -- version 0000000000000000001 --comment
hello1 -- version 0000000000000000001 --comment
Other usage examples
Put secret value
shellsession
$ rucredstash put hello world
hello has been stored
shellsession
$ rucredstash put nasdaq nifty500 market=world
nasdaq has been stored
shellsession
$ rucredstash put vanguard vanguardsecret market=world indexfunds=us
vanguard has been stored
Get secret value
shellsession
$ rucredstash get hello1
world1
shellsession
$ rucredstash get nasdaq market=world
nifty500
shellsession
$ rucredstash get vanguard market=world indexfunds=us
vanguardsecret
Get all secret values
shellsession
$ rucredstash getall
{
"hellehllobyegood": "dam",
"hello": "world",
"hello1": "world1"
}
shellsession
$ rucredstash getall --format yaml
hello: world
hellehllobyegood: dam
hello1: world1
Get all keys
shellsession
$ rucredstash keys
hello
hellehllobyegood
hello1