Humilis plug-in to deploy a Lambda humilis_decrypt

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for germangh from gravatar.com germangh

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Project description

PyPI

A humilis plug-in layer that deploys a custom Cloudformation (CF) resource that can be used to decrypt secrets that are embedded in CF templates.

CREDIT: All credit goes to Casecommons lambda-cfn-kms. This repo is just the result of bundling the lambda-cfn-kms repository as a humilis plugin.

Installation

pip install humilis-decrypt

To install the development version:

pip install git+https://github.com/humilis/humilis-decrypt

Development

Assuming you have virtualenv installed:

make develop

Configure humilis:

make configure

How does it work?

First create the Lambda function that backs the custom resource:

make create

The deployment will produce two artifacts:

  • The ID of the KMS key associated with the custom resource.

  • The ARN of the deployed Lambda function.

You can use the KMS key ID to encrypt your secrets locally, e.g. assuming you want to encrypt the dummy DB password dummy with key 3ea941bf-ee54-4941-8f77-f1dd417667cd:

aws kms encrypt --key-id 3ea941bf-ee54-4941-8f77-f1dd417667cd --plaintext 'dummy'

The output will be something like this:

{
    "CiphertextBlob": "AQICAHi2zdvZYfUQOQV8yX/HLdcIMqHHkubAYAei2Qo498KheQFDELPYHds8169cc9EqggEuAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+gDfP3DDVgbFYNidAgEQgCMrz1beR+s0XqWTVIuCbJ+E/cC7sqUzmPEB0weOhQ3GOE65rg==",
    "KeyId": "arn:aws:kms:eu-west-1:XXXXX:key/a86x4dd8-6b8e-41ce-aa65-4aa370d9ccbf"
}

Whenever you want to use your secret in a CF template you would do something like this:

---
resources:
  DbPasswordDecrypt:
    Type: "Custom::KMSDecrypt"
    Properties:
      ServiceToken: <lambda_function_arn>
      Ciphertext: "AQICAHi2zdvZYfUQOQV8yX/HLdcIMqHHkubAYAei2Qo498KheQFDELPYHds8169cc9EqggEuAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+gDfP3DDVgbFYNidAgEQgCMrz1beR+s0XqWTVIuCbJ+E/cC7sqUzmPEB0weOhQ3GOE65rg=="
  DbInstance:
    Type: "AWS::RDS::DBInstance"
    Properties:
      AllocatedStorage: "20"
      DBInstanceClass: "db.m1.small"
      Engine: "MySQL"
      EngineVersion: "5.5"
      MasterUsername: "admin"
      MasterUserPassword:
        Fn::Sub: ${DbPasswordDecrypt.Plaintext}

where you will need to replace <lambda_function_arn> with the ARN of the Lambda function that backs the custom CF resource that implements the decryption logic.

More information

See humilis documentation.

Contact

If you have questions, bug reports, suggestions, etc. please create an issue on the GitHub project page.

License

See the original license in the lambda-cfn-kms repository.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for germangh from gravatar.com germangh

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

0.0.2

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

humilis-decrypt-0.0.1.tar.gz (3.8 kB view details)

Uploaded Source

File details

Details for the file humilis-decrypt-0.0.1.tar.gz.

File metadata

File hashes

Hashes for humilis-decrypt-0.0.1.tar.gz
Algorithm Hash digest
SHA256 473dfd02d84721ac83cf93e4d6b7f72f39939bba6f549f109028f1769a700f51
MD5 6593c25783b69535d46c1e71b72f166f
BLAKE2b-256 8ee8536ec814ce9203ef442a990a47fabb6034a8d6017f1b793986e88e6b9646

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page