Humilis layer that deploys a secrets vault
Project description
A humilis plugin that deploys an encrypted DynamoDB table that serves secrets to one or more Lambda functions. The encryption and decryption of secrets is handled by AWS KMS service.
Installation
From [PyPI][pypi]:
pip install humilis-secrets-vault
To install the dev version:
pip install git+https://github.com/InnovativeTravel/humilis-secrets-vault
How do I use this?
Simply add this layer to your humilis environment and use the layer parameter associated_processors to specify the layers that contain the Lambda functions that require access to the secrets in the vault. For example, the environment below deploys a Lambda function that filters events in a Kinesis stream and gives the Lambda access to the secrets vault that is also part of the same environment:
---
myenvironment:
description:
An environment with a Lambda processor to filter events in a Kinesis
stream.
layers:
- layer: streams
layer_type: streams
streams:
- name: InputStream
shard_count: 1
- name: OutputStream
shard_count: 1
- name: MatchedStream
shard_count: 1
- layer: filter
layer_type: filter
dependencies: ["streams"]
input: {layer: streams, stream: InputStream}
output: {layer: streams, stream: OutputStream}
# Do not delivered the unmatched events anywhere
matched: {layer: streams, stream: MatchedStream}
input_delivery: False
output_delivery: False
matched_delivery: False
- layer: secrets-vault
layer_type: secrets-vault
# We specify that the Lambda processor in the filter layer should
# have access to the secrets in the vault.
associated_processors: ["filter"]
Retrieving secrets
To be able to retrieve secrets your Lambda function should include package lambdautils as a depencency.
Then you can easily retrieve secrets from the vault within your Lambda code as follows:
import lambdautils.utils as utils
plaintext = utils.get_secret("key_for_my_secret")
Storing secrets
You can use humilis to store secrets in the vault from the command line:
humilis set-secret --stage [STAGE] [ENVIRONMENT_FILE] [SECRET_ID] [SECRET_VALUE]
Deployment requirements
You need to install humilis and configure a local profile:
humilis configure --local
The command above will create a .humilis.ini file that you can keep with the rest of your code. This repository contains one such file with values that make sense for people working at Innovative Travel.
Development
Assuming you have virtualenv installed:
make develop
Configure humilis:
.env/bin/humilis configure --local
Testing
You can test the deployment of the secrets vault using:
make createThen you can then run the integration test suite (TBD):
make testi
Don’t forget to delete the test deployment once you are done:
make deleteMore information
See humilis documentation.
Who do I ask?
Ask German.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for humilis-secrets-vault-0.0.2.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | dac3f53a12e7317ee450b28ff1a9f75112cab8192b5af40a9bc987f08f557cd2 |
|
| MD5 | e1ab3e3b311079fc6c8d1e5618b9ade1 |
|
| BLAKE2b-256 | b288041c81f3d3331f441fedcaf6e02ed6cb11032b936ad51c7297849ea69274 |
