ssstash
is a very simple tool that manages sensitive information in S3.
All entities are encrypted at client side using KMS before sending to S3 (see Protecting Data Using Client-Side Encryption).
This is a S3 fork of credstash. Please refer to it for basic concepts.
go get github.com/ojima-h/ssstash
or
Download from https://github.com/ojima-h/ssstash/releases
curl -L https://github.com/ojima-h/ssstash/releases/download/v0.0.1/ssstash-0.0.1.linux-amd64.gz | zcat > ssstash
chmod +x ssstash
NAME:
ssstash - A new cli application
USAGE:
ssstash [global options] command [command options] [arguments...]
VERSION:
0.0.1
COMMANDS:
list, ls List saved credentials
put Save the credential in S3
get Get the credential from S3
delete, rm Delete the entry
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
--version, -v print the version
The following Environment Variables can be used to configure default options.
SSSTASH_S3_BUCKET
-- S3 bucket where credentials are saved.SSSTASH_S3_PREFIX
-- S3 prefix under which credentials are saved.SSSTASH_AWS_PROFILE
-- Profile name in your .aws credential file.SSSTASH_KMS_KEY_ARN
-- KMS Key ARN to encrypt/decrypt credentials.
AWS CLI environment variables (AWS_ACCESS_KEY_ID
, ... etc) are also available.
ref. Configuring the AWS CLI » Environment Variables
Create a new credential:
ssstash put passward very-very-secret --key arn:aws:kms:ap-east-1:000000000000:key/xxxx
Fetch the credential:
ssstash get password
List saved credentials:
ssstash ls
Delete the credential:
ssstash rm password
credstash
uses DynamoDB to store credentials while ssstash
uses S3.
Each of these has its own advantages.
The advantages to use DynamoDB is described here.
The good points of S3 are:
- You don't have to care about the capacity.
- S3 is cheaper than DynamoDB in general.
- Many AWS SDKs supports S3 client-side encryption (see AWS SDK Support for Amazon S3 Client-Side Encryption). No special libraries are needed to fetch saved credentials.
- You can control access permissions for each entries using S3 Bucket Policy.
- S3 supports Versioning.