Razorpay's Secret Credential management system.
alohomora is distributed via PyPi:
pip install razorpay.alohomoraAlohomora is an opinionated project that relies on our conventions to intelligently fetch secrets at run-time.
We don't do our own crypto. We rely on these libraries instead:
This is how the template file looks in our app repository:
# {{ alohomora_managed }}
DB_PASSWORD = {{ lookup('db_password') }}
APP_ENV = {{ env }}
ENV_DEBUG = {{ ENV['DEBUG'] }}
APP_NAME = {{ app }}
This repo runs directly on the same template and generates the equivalent file as the output.
The steps it follows are the following:
- Figure out the tables from which to read. All secrets are stored in a
credstash-env-apptable structure in dynamoDB. - Fetch all secrets from that table using credstash
- Render the template with the secrets using jinja
Alohomora expects the secrets for any application to be stored in a
table called credstash-{env}-{app}. The IAM roles for this table
must be configured by you. Once you try to render a template, alohomora
will do the following:
- Read the entire table and decrypt all secrets and cache them locally.
- Render the template with these files and 3 extra variables:
env,app, andENVvariables.
ENV is same as os.environ inside the jinja template.
Alohomora is designed to be a zero-config solution.
We perform a few transforms on the arguments that are passed:
- Change both
appandenvto lowercase - Replace
productionwithprodin theenvname - Ignore anything after
-in the environment. Sobeta-birdiebecomesbeta
Please see the wiki regarding alohomora binary usage.
alohomora is released under the same license as credstash.