sops-secretsmanager-cdk

sops-secretsmanager-cdk

Safely load secrets from sops into secretsmanager using the CDK

Usage

import { SopsSecretsManager } from 'sops-secretsmanager-cdk';
...
new SopsSecretsManager(this, 'StoreSecrets', {
    path: './path/to/secretsfile.yaml',
    kmsKey: myKey,  // or use kms.Key.fromKeyArn
    secretName: 'TestSecret',  // or secret: mySecret
    mappings: {
        nameInSecretsManager: {
            path: ['path', 'to', 'value', 'in', 'secretsfile'],
            // optionally pass encoding: 'json' to pass a portion of the secrets file
        },
        anotherThingInSecretsManager: {
            path: ['other', 'path'],
        },
        // etc
    },
});

Implementation

Using the CDK's custom resource mini-framework, the sops secrets file is uploaded to S3 as an asset as is, still encoded. The custom resource Lambda then decodes the secrets (in memory, never on disk) and puts them into the SecretsManager secret.

Releasing a new version

• (Almost certainly) be on latest master, with no unpublished changes
• Run npm version (patch|minor|major) as appropriate
• Run git push and git push origin TAG where TAG is the tag that npm version just created

The tag triggers a CircleCI job to publish to npm.

Changelog

1.3.0

28 February 2020

• Make kmsKey optional #14
• Rename CircleCI workflow #12
• Release documentation #11