Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add --kms-region argument #268

Merged
merged 1 commit into from
Mar 19, 2020
Merged

Conversation

mike-luminal
Copy link
Contributor

@mike-luminal mike-luminal commented Feb 8, 2020

Resolves #257.

KMS Region

This PR adds a new top-level command-line argument, --kms-region.

Basic Usage

credstash --kms-region us-east-1 --region us-east-2 put secret1 secretvalue
credstash --kms-region us-east-1 --region us-east-2 putall '{"secret": "secretvalue"}'
credstash --kms-region us-east-1 --region us-east-2 get secret1
credstash --kms-region us-east-1 --region us-east-2 getall

This argument allows users to set the region from which the credstash KMS Key should be read separately from the region in which the credstash DynamoDB Table is stored. This allows credstash to be used with DynamoDB Global Tables with minimal AWS configuration.

Note that the KMS region can be specified for keys, list and delete, but is not used since KMS is not needed for those commands.

Saving the KMS Region

The KMS region can be saved by running credstash setup --save-kms-region REGION. This value is saved in ~/.credstash.

KMS Region Resolution Order

  1. --kms-region command-line argument
  2. Saved KMS region in ~/.credstash
    If the KMS region is not explicitly specified, it takes the value of region, following the normal order of precedence:
  3. --region command-line argument
  4. AWS_DEFAULT_REGION environment variable
  5. ~/.aws/config
  6. us-east-1 if no other region is specified

Library Usage

This PR adds a new keyword argument, kms_region, to getSecret, getAllSecrets, putSecret, and putSecretAutoVersion.

@mike-luminal mike-luminal added this to the 1.17.0 milestone Feb 8, 2020
@mike-luminal mike-luminal merged commit 3314bca into master Mar 19, 2020
@mike-luminal mike-luminal deleted the feature/CS-257/master-kms-region branch March 19, 2020 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Problem with CMK in AWS when DynamoDB is replicating to new region
1 participant