Have a way to override KMS key alias with a file about chamber HOT 10 CLOSED

Oh my mistake I completely misread your comment. Separate KMS key per service is very aggressive.

Is this supposed to be an additional safety mechanism besides using SSM IAM policy? Is there a particular issue with using only one KMS key?

from chamber.

@robinjoseph08 can you just set the environment variable in your profile? Seems like overkill to change the program when there is a simple fix available.

from chamber.

While that would work if we had one key with a different alias name, since we'll be having separate keys, it's a different alias for each service so we can't put it in our global profile.

from chamber.

Right, it's more of an additional safety mechanism. We didn't see that there was any reason for a particular service to have the ability to decrypt the secrets of any other service (even though we're already limiting which ones it can get through SSM). It just seemed like an unnecessarily large scope for a service's permission.

from chamber.

Any additional thoughts on this? I'd love to submit a PR, but only if you guys think it makes sense?

Having separate KMS keys is a pretty hard requirement for us, and we really want to make it as easy as possible to write secrets (i.e. as few environment variables necessary as possible).

from chamber.

this can be easily done via iam policies, and parameter prefix.
doing it at KMS level is overkill in my opinion
i posted an example in #45 (comment)

from chamber.

On the flipside of this, I'd appreciate a way to not use a customer-managed key at all, and instead just use the default AWS-managed key. There's relatively few reasons to use customer-managed keys if you grant kms:Decrypt permissions sparingly: i.e. with a condition on the PARAMETER_ARN encryption context key.

from chamber.

@eriksw You can use CHAMBER_KMS_KEY_ALIAS=aws/ssm chamber …. I'd even suggest that would be the better default.

from chamber.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from chamber.

Out of scope I'd say.

from chamber.