Secrets not found
Opened this issue · 9 comments
I followed this tutorial http://technologyadvice.github.io/lock-up-your-customer-accounts-give-away-the-key/
And no matter what, it always says Failed getting secrets Error: Secret "clientId" not found
this is my cryptex.json
{ "default": { "keySource": "kms", "keySourceOpts": { "region": "us-east-1", "dataKey": "key" }, "secrets": { "clientId" : "xb2xLesErQec45zZbO4Qxg2YKdIUgyrxG91iBBP/h4DL+sg4TumOJ0DEh84KbmX34HGIFtgRW189lu5LqTao5zOQfu+Xpb0b+wYxF+6DkZMNhlWmhs6PC4lQ/iMke2Tz1x0mIMzqyZ9BhvU8cJUVqw==" } } }
Hi thanks for the fast reply.
This is a screenshot of my file structure, I'm using serverless-webpack plugin.
Maybe that has something to do, but as you can see cryptex.json is inside the folder that is going to be uploaded to aws.
A frontend project-- that's interesting. Maybe an obvious question, but I have to make sure: You're using your cryptex secrets during the webpack build process rather than trying to access them from the frontend, right? ;-)
Ultimately, it looks like the cryptex.json isn't being found and loaded, which is likely because of webpack/serverless copying it around to places where it's not expected to be. There's a super simple solution to this problem, though: rather than use a cryptex.json which is path-dependent, you can put all that same configuration right in the javascript code, or define it in environment variables. See 5 configuration steps at the top of the README -- each one shows you both the configuration keys to use, as well as the (very predictable) name of the env vars.
I personally still think it's worth having a cryptex.json, as that will allow the cli tool to run even if your env vars aren't set -- but for the application execution and where your secrets are physically stored, either of the other options would fit your use case better.
I'm using webpack only for bundling node_packages and babel compiler, I'm writing the modules in ES6, but it's still a serverless only project.
I already tried importing the .json inside a .js file like this
import './cryptex.json
The file gets transpiled successfully, but crytex.getSecret still returns "Not found".
I went ahead and used kms directly with AWS SDK, but I'll give it a try to cryptex with the env vars later.
Thanks!
What I was getting at is, Cryptex is not at all meant for in-browser use. It uses the server-side AWS SDK, not the client-side one, and will not work even if compiled with node polyfills. If you're using it in the browser, it won't work regardless of configuration type.
I'd also, from a security standpoint, heavily recommend against that. If a browser can get at the secret, it might as well not even be encrypted. There's nothing to stop a human from collecting it and sharing it.
Yes, but as I said is entirely server/serverless side, not front end. The front end side is a React/React Native implementation that calls an endpoint that returns a new access_token from a provider, but that provider needs its 'client_id' and 'client_secret', that was what I tried to encrypt.
I'm using AWS SDK server side apart from cryptex and it works just fine.
Other thing I tried was
cryptex.use({ config: { keySource: 'kms', keySourceOpts: { dataKey: 'kms+encrypted+base64+string==' } } });
But it says "use is not a function", in the end I think webpack is the problem here, maybe cryptex is not bundling correctly with babel.
Ah, I understand! Sorry, I was unfamiliar with how Serverless works.
The error message is accurate, though -- use is not a function. I think what you want is update :).
Cool thanks! Will try this approach later on. Thanks again!
Ran into the use() is not a function problem too @TomFrost . The Cryptex docs disagree with you ;)
Put it right in the code
Don't want clutter in your file tree? That's cool. Do this:cryptex.use({
config: {
keySource: 'kms',
keySourceOpts: {
dataKey: 'kms+encrypted+base64+string=='
}
}
});
Docs could do with updating. Thanks for the awesome package! :)