{ "info": { "author": "German Gomez-Herrero, FindHotel BV", "author_email": "german@findhotel.net", "bugtrack_url": null, "classifiers": [ "Programming Language :: Python :: 3" ], "description": "Custom CF resource to decrypt secrets in CF templates\n=====================================================\n\n|PyPI|\n\nA `humilis `__ plug-in\nlayer that deploys a custom Cloudformation (CF) resource that can be\nused to decrypt secrets that are embedded in CF templates.\n\n**CREDIT:** All credit goes to `Casecommons\nlambda-cfn-kms `__. This\nrepo is just the result of bundling the ``lambda-cfn-kms`` repository as\na humilis plugin.\n\nInstallation\n------------\n\n::\n\n pip install humilis-decrypt\n\nTo install the development version:\n\n::\n\n pip install git+https://github.com/humilis/humilis-decrypt\n\nDevelopment\n-----------\n\nAssuming you have\n`virtualenv `__\ninstalled:\n\n::\n\n make develop\n\nConfigure humilis:\n\n::\n\n make configure\n\nHow does it work?\n-----------------\n\nFirst create the Lambda function that backs the custom resource:\n\n::\n\n make create\n\nThe deployment will produce two artifacts:\n\n- The ID of the KMS key associated with the custom resource.\n- The ARN of the deployed Lambda function.\n\nYou can use the KMS key ID to encrypt your secrets locally, e.g.\nassuming you want to encrypt the dummy DB password ``dummy`` with key\n``3ea941bf-ee54-4941-8f77-f1dd417667cd``:\n\n::\n\n aws kms encrypt --key-id 3ea941bf-ee54-4941-8f77-f1dd417667cd --plaintext 'dummy'\n\nThe output will be something like this:\n\n::\n\n {\n \"CiphertextBlob\": \"AQICAHi2zdvZYfUQOQV8yX/HLdcIMqHHkubAYAei2Qo498KheQFDELPYHds8169cc9EqggEuAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+gDfP3DDVgbFYNidAgEQgCMrz1beR+s0XqWTVIuCbJ+E/cC7sqUzmPEB0weOhQ3GOE65rg==\",\n \"KeyId\": \"arn:aws:kms:eu-west-1:XXXXX:key/a86x4dd8-6b8e-41ce-aa65-4aa370d9ccbf\"\n }\n\nWhenever you want to use your secret in a CF template you would do\nsomething like this:\n\n::\n\n ---\n resources:\n DbPasswordDecrypt:\n Type: \"Custom::KMSDecrypt\"\n Properties:\n ServiceToken: \n Ciphertext: \"AQICAHi2zdvZYfUQOQV8yX/HLdcIMqHHkubAYAei2Qo498KheQFDELPYHds8169cc9EqggEuAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+gDfP3DDVgbFYNidAgEQgCMrz1beR+s0XqWTVIuCbJ+E/cC7sqUzmPEB0weOhQ3GOE65rg==\"\n DbInstance:\n Type: \"AWS::RDS::DBInstance\"\n Properties:\n AllocatedStorage: \"20\"\n DBInstanceClass: \"db.m1.small\"\n Engine: \"MySQL\"\n EngineVersion: \"5.5\"\n MasterUsername: \"admin\"\n MasterUserPassword:\n Fn::Sub: ${DbPasswordDecrypt.Plaintext}\n\nwhere you will need to replace ```` with the ARN of\nthe Lambda function that backs the custom CF resource that implements\nthe decryption logic.\n\nMore information\n----------------\n\nSee `humilis `__\ndocumentation.\n\nContact\n-------\n\nIf you have questions, bug reports, suggestions, etc. please create an\nissue on the `GitHub project\npage `__.\n\nLicense\n-------\n\nSee the original license in the\n`lambda-cfn-kms `__\nrepository.\n\n.. |PyPI| image:: https://img.shields.io/pypi/v/humilis-decrypt.svg?style=flat\n :target: https://pypi.python.org/pypi/humilis-decrypt\n", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/humilis/humilis-decrypt", "keywords": "", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "humilis-decrypt", "package_url": "https://pypi.org/project/humilis-decrypt/", "platform": "", "project_url": "https://pypi.org/project/humilis-decrypt/", "project_urls": { "Homepage": "https://github.com/humilis/humilis-decrypt" }, "release_url": "https://pypi.org/project/humilis-decrypt/0.0.2/", "requires_dist": null, "requires_python": "", "summary": "Humilis plug-in to deploy a Lambda humilis_decrypt", "version": "0.0.2" }, "last_serial": 3445046, "releases": { "0.0.1": [ { "comment_text": "", "digests": { "md5": "6593c25783b69535d46c1e71b72f166f", "sha256": "473dfd02d84721ac83cf93e4d6b7f72f39939bba6f549f109028f1769a700f51" }, "downloads": -1, "filename": "humilis-decrypt-0.0.1.tar.gz", "has_sig": false, "md5_digest": "6593c25783b69535d46c1e71b72f166f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 3754, "upload_time": "2017-05-23T19:55:14", "url": "https://files.pythonhosted.org/packages/8e/e8/536ec814ce9203ef442a990a47fabb6034a8d6017f1b793986e88e6b9646/humilis-decrypt-0.0.1.tar.gz" } ], "0.0.2": [ { "comment_text": "", "digests": { "md5": "0d47b570125327976e4897683cedece0", "sha256": "9a1f5bfe5072e156484b52faf9336f26be1985a940248918868980c356d5e94e" }, "downloads": -1, "filename": "humilis-decrypt-0.0.2.tar.gz", "has_sig": false, "md5_digest": "0d47b570125327976e4897683cedece0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5430, "upload_time": "2017-12-27T11:33:14", "url": "https://files.pythonhosted.org/packages/fc/7e/473794a8f4bc3e7e3102e8f96b11befd249b03abb8b2b3765716e0684457/humilis-decrypt-0.0.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "0d47b570125327976e4897683cedece0", "sha256": "9a1f5bfe5072e156484b52faf9336f26be1985a940248918868980c356d5e94e" }, "downloads": -1, "filename": "humilis-decrypt-0.0.2.tar.gz", "has_sig": false, "md5_digest": "0d47b570125327976e4897683cedece0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5430, "upload_time": "2017-12-27T11:33:14", "url": "https://files.pythonhosted.org/packages/fc/7e/473794a8f4bc3e7e3102e8f96b11befd249b03abb8b2b3765716e0684457/humilis-decrypt-0.0.2.tar.gz" } ] }