Skip to content

Commit

Permalink
Restrict interaction with the secrets-manager to creating the secret
Browse files Browse the repository at this point in the history 
This permits the access_key for the secrets-manager to be write-only.
  • Loading branch information
@michaelsembwever
michaelsembwever committed Sep 30, 2024
1 parent e5823a8 commit 01bcada
Showing 1 changed file with 7 additions and 10 deletions.
17 changes: 7 additions & 10 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,16 +101,13 @@ ifdef COLLECTOR_S3_BUCKET
@(echo "An encryption key has been generated as ${KEY_FILE_NAME}")
endif
else
$(eval SECRET_EXISTS := $(shell AWS_ACCESS_KEY_ID=${COLLECTOR_SECRETSMANAGER_KEY} AWS_SECRET_ACCESS_KEY=${COLLECTOR_SECRETSMANAGER_SECRET} aws ${AWS_ENDPOINT_URL} --region=us-west-2 secretsmanager list-secrets | grep ${KEY_FILE_NAME} | grep Name))
@if [ -z "${SECRET_EXISTS}" ]; then \
echo "Since the secret does not exist for $(subst /,-,$(ISSUE)), will generate a new one" ; \
openssl rand -base64 256 > ${KEY_FILE_NAME} ; \
echo "An encryption key has been generated as ${KEY_FILE_NAME}" ; \
echo "I will now add the key to the Secrets Manager" ; \
AWS_ACCESS_KEY_ID=${COLLECTOR_SECRETSMANAGER_KEY} AWS_SECRET_ACCESS_KEY=${COLLECTOR_SECRETSMANAGER_SECRET} aws ${AWS_ENDPOINT_URL} --region=us-west-2 secretsmanager create-secret --name ${KEY_FILE_NAME} --description "Reuben collector key" --secret-string file://${KEY_FILE_NAME} ;\
else \
echo "Secret exists in Secrets Manager with ${SECRET_EXISTS} so will fetch it." ; \
AWS_ACCESS_KEY_ID=${COLLECTOR_SECRETSMANAGER_KEY} AWS_SECRET_ACCESS_KEY=${COLLECTOR_SECRETSMANAGER_SECRET} aws ${AWS_ENDPOINT_URL} --region=us-west-2 secretsmanager get-secret-value --secret-id ${KEY_FILE_NAME} | grep SecretString | cut -d: -f2- | sed 's|^ *"|"|; s|",\o24|"|' | xargs printf > ${KEY_FILE_NAME} ;\
echo "Since the secret does not exist for $(subst /,-,$(ISSUE)), will generate a new one" ; \
openssl rand -base64 256 > ${KEY_FILE_NAME} ; \
echo "An encryption key has been generated as ${KEY_FILE_NAME}" ; \
echo "I will now add the key to the Secrets Manager" ; \
AWS_ACCESS_KEY_ID=${COLLECTOR_SECRETSMANAGER_KEY} AWS_SECRET_ACCESS_KEY=${COLLECTOR_SECRETSMANAGER_SECRET} aws ${AWS_ENDPOINT_URL} --region=us-west-2 secretsmanager create-secret --name ${KEY_FILE_NAME} --description "Reuben collector key" --secret-string file://${KEY_FILE_NAME} ;\
@if [ $? -ne 0 ]; then
echo "Failed to create-secret. Possible a collector with this issueId and secret already exists. Each collector created needs a new issueId."
fi
endif

0 comments on commit 01bcada

Please sign in to comment.