Comments (10)
Oh my mistake I completely misread your comment. Separate KMS key per service is very aggressive.
Is this supposed to be an additional safety mechanism besides using SSM IAM policy? Is there a particular issue with using only one KMS key?
from chamber.
@robinjoseph08 can you just set the environment variable in your profile? Seems like overkill to change the program when there is a simple fix available.
from chamber.
While that would work if we had one key with a different alias name, since we'll be having separate keys, it's a different alias for each service so we can't put it in our global profile.
from chamber.
Right, it's more of an additional safety mechanism. We didn't see that there was any reason for a particular service to have the ability to decrypt the secrets of any other service (even though we're already limiting which ones it can get through SSM). It just seemed like an unnecessarily large scope for a service's permission.
from chamber.
Any additional thoughts on this? I'd love to submit a PR, but only if you guys think it makes sense?
Having separate KMS keys is a pretty hard requirement for us, and we really want to make it as easy as possible to write secrets (i.e. as few environment variables necessary as possible).
from chamber.
this can be easily done via iam policies, and parameter prefix.
doing it at KMS level is overkill in my opinion
i posted an example in #45 (comment)
from chamber.
On the flipside of this, I'd appreciate a way to not use a customer-managed key at all, and instead just use the default AWS-managed key. There's relatively few reasons to use customer-managed keys if you grant kms:Decrypt
permissions sparingly: i.e. with a condition on the PARAMETER_ARN
encryption context key.
from chamber.
@eriksw You can use CHAMBER_KMS_KEY_ALIAS=aws/ssm chamber …
. I'd even suggest that would be the better default.
from chamber.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from chamber.
Out of scope I'd say.
from chamber.
Related Issues (20)
- Support camel-cased / snake-cased keys HOT 1
- `list` and `exec` on non-existent or inaccessible services fails silently on S3 KMS backend
- Chamber exec bash function HOT 1
- Add option to write the `value` from prompt if `value` is not provided
- Allow reading from and writing to plain text using secretsmanager backend
- Add ability to deploy configs from the configuration file HOT 4
- CVE-2022-27664 - net/http in Go before 1.18.6 and 1.19.x before 1.19.1 HOT 2
- `write` allows for invalid shell variable creation HOT 2
- Security Scans flagging go-complier v1.13.15 HOT 3
- Bug Importing UPPER_CASE_KEYs HOT 3
- consider adding semantic version info in "version" subcommand HOT 4
- Issues with chamber and aws sso
- CVE-2023-24538 - Go Lang 1.19.6 Critical Vulnerability HOT 1
- Please add renovatebot or dependabot to keep dependencies updated HOT 1
- Please consider dropping support for older golang versions like go1.15 and go1.16
- Please consider using GetParameter(s) instead of GetParametersByPath
- Logger writes to stdout, messing up output HOT 2
- Chamber is not working with recommended AWS SSO config that uses sso-session HOT 15
- CVE-2023-29404 - Go Lang Critical Vulnerability HOT 1
- Feature request: No clobber of existing environment variables HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chamber.