aws-secrets-github-sync
Advanced tools
Update GitHub repository secrets from an AWS SecretsManager secret
Updates GitHub secrets from AWS Secrets Manager.
Beta: This project is under active development and is not recommended to use in production environments.
This utility reads a secret from AWS Secrets Manager and stores the keys from this secret to GitHub repository secrets.
It is useful to maintain a set of keys across multiple repositories, handle rotation, etc.
This tool is published as an npm module, so it can be either installed locally or globally via:
npm i -g aws-secrets-github-sync
Or any other npm package manager such as yarn, pnpm, etc.
Use the AWS CLI or AWS Console to create a secret in AWS Secrets Manager that includes keys that map to GitHub secret names.
For example, say our AWS Secrets Manager secret looks like this:
{
"NPM_TOKEN": "<my npm token>",
"FOOBAR": "<some other secret>"
}
Now that you have a secret in AWS Secrets Manager, you can use this tool to read it and store it in your GitHub repository.
This can be either done via a config file or via the command line.
aws-secrets-github-sync -s SECRET [OPTIONS]
Options:
--help Show help-s, --secret - The secret ID or ARN of the AWS Secrets Manager secret-k, --keys (array) - The set of keys to update. Can be invoked multiple
times (e.g. -k NPM_TOKEN -k FOOBAR). If not specified, all keys from the
secret will be stored in the repository.--prune - Will delete any secret keys from the repository that are not in
AWS Secrets Manager (and not specified in --keep). If this is not set, old
keys will be retained.--keep - Keys to keep instead of pruning (can appear multiple times).--yes - Don't ask for user confirmation before the update.-r, --repo - The GitHub full repository name (e.g.
cdklabs/aws-secrets-github-sync). If this is not specified, we will try to resolve the
repo from the current git settings.-R, --region - The AWS region to read the secret from. If this is not
specified, AWS_REGION will be used. If the secret is an ARN, we will resolve
the region from the ARN.--profile - specify AWS credentials profile to use.You can also specify all options via a configuration file. Here's an example
secrets.json:
{
"secret": "publishing-secrets",
"region": "us-east-1",
"prune": true,
"keys": [
"NPM_TOKEN",
"PROJEN_GITHUB_TOKEN"
],
}
And then, execute:
aws-secrets-github-sync -C secrets.json
All AWS Secrets Manager activity is recorded in AWS
CloudTrail.
Requests from aws-secrets-github-sync are tagged with a user-agent of
aws-secrets-github-sync/$version so it is possible to find them as needed.
See our Contribution Guide for more information.
See Security Issue Notification for more information.
This project is licensed under the Apache-2.0 License.
FAQs
Update GitHub repository secrets from an AWS SecretsManager secret
The npm package aws-secrets-github-sync receives a total of 214 weekly downloads. As such, aws-secrets-github-sync popularity was classified as not popular.
We found that aws-secrets-github-sync demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.
Security News
CISA's KEV data is now on GitHub, offering easier access, API integration, commit history tracking, and automated updates for security teams and researchers.
Security News
Opengrep forks Semgrep to preserve open source SAST in response to controversial licensing changes.