Rucredstash

Crates.io MIT licensed Build Status

Table of Contents

Introduction

Rucredstash is a Rust port of CredStash

It uses a combination of AWS Key Management Service (KMS) and DynamoDB to store secrets. This is needed when you want to store and retrieve your credentials (like database password, API Keys etc) securely. A more detailed tutorial is here.

This package offers the interface via both CLI and an library way of accessing it. The CLI is meant as a drop in replacement of the original credstash program and therefore it tries to have the exact interface as the original program.

Usage

``` shellsession rucredstash 0.8.0 Sibi Prabakaran A credential/secret storage system

USAGE: rucredstash [OPTIONS] [SUBCOMMAND]

FLAGS: -h, --help Prints help information -V, --version Prints version information

OPTIONS: -a, --arn AWS IAM ARN for AssumeRole -m, --mfaserial Optional MFA hardware device serial number or virtual device ARN -p, --profile Boto config profile to use when connecting to AWS -r, --region the AWS region in which to operate. If a region is not specified, credstash will use the value of the AWSDEFAULTREGION env variable, or if that is not set, the value in ~/.aws/config. As a last resort, it will use us-east-1 -t, --table

DynamoDB table to use for credential storage. If not specified, credstash will use the value of the CREDSTASHDEFAULT_TABLE env variable, or if that is not set, the value credential-store will be used

SUBCOMMANDS: delete Delete a credential from the store get Get a credential from the store getall Get all credentials from the store help Prints this message or the help of the given subcommand(s) keys List all keys in the store list List credentials and their versions put Put a credential into the store putall Put credentials from json or file into the store setup setup the credential store ```

Installation

See Github releases: https://github.com/psibi/rucredstash/releases

Executables are available for all the three major platforms: Linux, Windows and MacOS.

Infrastructure Setup

For rucredstash to work, you need to setup the following AWS infrastrucutre:

Usage Examples

Different way of passing AWS Credentials

The most simple case is to export the proper environment variable and use it:

shellsession $ export AWS_ACCESS_KEY_ID=xxxx $ export AWS_SECRET_ACCESS_KEY=xxxx $ rucredstash list hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment

Note that rucredstash by default uses DefaultCredentialsProvider, so your credentials will be based on that. But it even allows other complex usage scenarios:

shellsession $ export AWS_ACCESS_KEY_ID=xxxx $ export AWS_SECRET_ACCESS_KEY=xxxx $ rucredstash --arn arn:aws:iam::786946123934:role/admin --mfa_serial arn:aws:iam::786946123934:mfa/sibi --region us-west-2 list Enter MFA Code: xxxxx hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment

Note that the MFA functionality isn't present in the original credstash program (the Python program). You can also use programs like aws-env and use this tool. Example:

shellsession $ aws-env rucredstash list hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment

Other usage examples

Put secret value

shellsession $ rucredstash put hello world hello has been stored

You can also use the encryption context associated with the credential:

shellsession $ rucredstash put nasdaq nifty500 market=world nasdaq has been stored

Or even multiple encryption contexts:

shellsession $ rucredstash put vanguard vanguardsecret market=world indexfunds=us vanguard has been stored

Get secret value

shellsession $ rucredstash get hello1 world1

Now let's also try to retrieve using the encryption context:

shellsession $ rucredstash get nasdaq market=world nifty500

And using multiple encryption context:

shellsession $ rucredstash get vanguard market=world indexfunds=us vanguardsecret

Get all secret values

shellsession $ rucredstash getall { "hellehllobyegood": "dam", "hello": "world", "hello1": "world1" }

You can get that in other formats too:

shellsession $ rucredstash getall --format yaml hello: world hellehllobyegood: dam hello1: world1

List credentials with other metadata

shellsession $ rucredstash list hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment

Get all keys

shellsession $ rucredstash keys hello hellehllobyegood hello1

Delete a specific key

shellsession $ rucredstash delete hello Deleting hello --version 0000000000000000001

Put a bunch of secrets (putall subcommand)

You can pass the input from a file using the special symbol @ to indicate that the data is fed from the file:

shellsession $ bat secrets.json ───────┬──────────────────────────────────────── │ File: secrets.json ───────┼──────────────────────────────────────── 1 │ { 2 │ "hello": "world", 3 │ "hi": "bye" 4 │ } ───────┴──────────────────────────────────────── $ rucredstash putall @secrets.json hello has been stored hi has been stored

You can also pass the data via stdin using the special operator -:

shellsession $ rucredstash putall - { "hello": "world" } hello has been stored

Note that the passed data should be in json format. You press the Enter key to indicate that you have finished passing the data.

Also, you can also pass the data directly to it:

shellsession $ rucredstash putall '{"hello":"world","hi":"bye"}' hello has been stored hi has been stored