Merge pull request #19 from segmentio/readme-kms

add KMS info to readme and allow configuring via env var
segmentio · Aug 22, 2017 · 0fe1f3e · 0fe1f3e
2 parents 8968828 + f3ca3ec
commit 0fe1f3e
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,27 @@ For this reason, it is recommended that you create an alias in your shell of cho
 alias chamberprod='aws-vault exec production -- chamber'
 ```
 
+## Setting up KMS
+
+Chamber expects to find a KMS key with alias `parameter_store_key` in the account that you are writing/reading secrets.  You can follow the [AWS KMS documentation](http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) to create your key, and [follow this guide to set up your alias](http://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html).
+
+If you are a [Terraform](https://www.terraform.io/) user, you can create your key with the following:
+
+```HCL
+resource "aws_kms_key" "parameter_store" {
+  description             = "Parameter store kms master key"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}
+
+resource "aws_kms_alias" "parameter_store_alias" {
+  name          = "alias/parameter_store_key"
+  target_key_id = "${aws_kms_key.parameter_store.id}"
+}
+```
+
+If you'd like to use an alternate KMS key to encrypt your secrets, you can set the environment variable `CHAMBER_KMS_KEY_ALIAS`.
+
 ## Usage
 
 ### Writing Secrets

diff --git a/store/ssmstore.go b/store/ssmstore.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"regexp"
 	"strconv"
+	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
@@ -13,9 +14,9 @@ import (
 	"github.com/aws/aws-sdk-go/service/ssm/ssmiface"
 )
 
-var (
-	// KeyID is the alias for the KMS key used to encrypt/decrypt secrets
-	KeyID = "alias/parameter_store_key"
+const (
+	// DefaultKeyID is the default alias for the KMS key used to encrypt/decrypt secrets
+	DefaultKeyID = "alias/parameter_store_key"
 )
 
 // validKeyFormat is the format that is expected for key names inside parameter store
@@ -46,6 +47,18 @@ func NewSSMStore() *SSMStore {
 	}
 }
 
+func (s *SSMStore) KMSKey() string {
+	fromEnv, ok := os.LookupEnv("CHAMBER_KMS_KEY_ALIAS")
+	if !ok {
+		return DefaultKeyID
+	}
+	if !strings.HasPrefix(fromEnv, "alias/") {
+		return fmt.Sprintf("alias/%s", fromEnv)
+	}
+
+	return fromEnv
+}
+
 // Write writes a given value to a secret identified by id.  If the secret
 // already exists, then write a new version.
 func (s *SSMStore) Write(id SecretId, value string) error {
@@ -60,7 +73,7 @@ func (s *SSMStore) Write(id SecretId, value string) error {
 	}
 
 	putParameterInput := &ssm.PutParameterInput{
-		KeyId:       aws.String(KeyID),
+		KeyId:       aws.String(s.KMSKey()),
 		Name:        aws.String(idToName(id)),
 		Type:        aws.String("SecureString"),
 		Value:       aws.String(value),