serverless-crypt
serverless-crypt copied to clipboard
marcy-terui
creation of .serverless-secret.json file according to environment like dev,stage, prod
HI,
In defualt values are encrypted and saved in .serverless-secret.json file, is there any way we can have the files like [.serverless-secret_dev.json, .serverless-secret_prod.json, .serverless-secret_Stage.json ] to save the encrypeted values according to environment, or we can directly save values into .YML file, please chekc this once, this is our requirement actaully.
Thanks, Firoj Shaik
IMO, this would best be implmented as a secretsFile option and then if you want per-stage files you can do secretsFile: .serverless-secret-${opt:stage, self:provider.stage}.json
@dschep ,Thanks for quick response, I was running the following command -- serverless encrypt -n ACCESSKEY32 -t "sjkdhjksd-asj-sdds1" --save , so values are being encrypted and adding to .serverless-secret.json as default, so if i want to add the values into serverless-secret-stage.json/serverless-secret-prod.json, what is the way and what command i have to run, please advise on this?
Thanks, Firoj Shaik
sorry, that was a suggestion of how we might implement it. the option doesn't currently exist. If you don't mind extra secrets in your file, the work around I'd suggest now is this:
- run:
sls encrypt -n ACCESS_KEY_PROD -t supersecret --save - add this to the
serverless.ymlprovider section:
environment:
STAGE: ${opt:stage, self:provider.stage}
- in your code, access the secret with:
slscrypt.get(`ACCESS_KEY_${process.env.STAGE.toUpperCase()}`);
hi, here we are passing single key for encryption as followed (sls encrypt -n ACCESS_KEY_PROD -t supersecret --save) , but if we want to pass set of keys in a single command like if i have 15 secret keys in my project rather running sls encrypt command for 15 times, can we pass a json whch has list of keys which will encrypt through sls encrypt command , as such do we have any process for it? please let me advise....
not sure, I don't have time really and am thinking of migrating to SSM Parameter Store for secrets anyway. @marcy-terui might tho.
hi, here we are passing single key for encryption as followed (sls encrypt -n ACCESS_KEY_PROD -t supersecret --save) , but if we want to pass set of keys in a single command like if i have 15 secret keys in my project rather running sls encrypt command for 15 times, can we pass a json whch has list of keys which will encrypt through sls encrypt command , as such do we have any process for it? please let me advise....
@firojasha Thank you for your suggestion.
This plugin is currently supported for more simply use case. So it is difficult to solve your problem right now.
But, I think that it is valuable to solve your problem with this plugin. What enhance do you need? Please tell me specifically.
@marcy-terui , as a security concern can we restrict the " serverless decrypt -n $SECRET_NAME", because this command shows the actual value of encrypted secret key, so any one can run this command see the actual value of encrypted secret key, even i tried to amend the IAM policy of KMS KEY at AWS Console to restrict decryption but i identified that serverless decrypt -n $SECRET_NAME command not taking the KMS KEY for decryption , so please check this case and let us know what could be done to achive this case?
Regards, Firoj Shaik
I don't think that is important.
I think this plugin helps to "save" confidential information. If you want to apply security to all layers other than "save", I recommend the other security-specific product such as "HashiCorp Vault".
I would like to implement a function to change the filename saved for each stage. However, if you think that another issue is important, please send a pull request.