blob: 4ade9848e1f052984442e8373d93d64b3f5c64a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
%global _empty_manifest_terminate_build 0
Name: python-nitor-vault
Version: 0.54
Release: 1
Summary: Vault for storing locally encypted data in S3 using KMS keys
License: Apache 2.0
URL: http://github.com/NitorCreations/vault
Source0: https://mirrors.aliyun.com/pypi/web/packages/9a/0b/c9a322ab546d325ad80c154c890178ffe2650637c6c66a8f9ed504ffc2d3/nitor-vault-0.54.tar.gz
BuildArch: noarch
Requires: python3-argcomplete
Requires: python3-cryptography
Requires: python3-future
Requires: python3-requests
Requires: python3-threadlocal-aws
Requires: python3-pypiwin32
Requires: python3-win-unicode-console
Requires: python3-wmi
%description
Command line tools and libraries for encrypting keys and values using client-side encryption with AWS KMS keys.
# Installation
The easiest install is the python package from pypi:
```
pip install nitor-vault
```
Javascript and java versions are available from npm and maven central respectively and installation will depend on your needs.
# Example usage
Initialize vault bucket and other infrastructure: `vault --init`. Will create a CloudFormation stack.
Encrypt a file and store in vault bucket: `vault -s my-key -f <file>`
Decrypt a file: `vault -l <file>`
Encrypt a single value and store in vault bucket `vault -s my-key -v my-value`
Decrypt a single value `vault -l my-key`
## Using encrypted CloudFormation stack parameters
Encrypt a value like this: `$ vault -e 'My secret value'`
The command above will print the base64 encoded value encrypted with your vault KMS key. Use that value in a CF parameter. The value is then also safe to commit into version control and you can use it in scripts for example like this:
```
#!/bin/bash
MY_ENCRYPTED_SECRET="AQICAHhu3HREZVp0YXWZLoAceH1Nr2ZTXoNZZKTriJY71pQOjAHKtG5uYCdJOKYy9dhMEX03AAAAbTBrBgkqhkiG9w0BBwagXjBcAgEAMFcGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYy/tKGJFDQP6f9m1AgEQgCq1E1q8I+btMUdwRK8wYFNyE/5ntICNM96VPDnYbeTgcHzLoCx+HM1cGvc"
UNENCRYPTED_SECRET="$(vault -y $MY_ENCRYPTED_SECRET)"
```
Obviously you need to make sure that in the context of running vault there is some sort of way for providing kms permissions by for example adding the decryptPolicy managed policy from the vault cloudformation stack to the ec2 instance or whatever runs the code.
To decrypt the parameter value at stack creation or update time, use a custom resource:
```
Parameters:
MySecret:
Type: String
Description: Param value encrypted with KMS
Resources:
DecryptSecret:
Type: "Custom::VaultDecrypt"
Properties:
ServiceToken: "arn:aws:lambda:<region>:<account-id>:function:vault-decrypter"
Ciphertext: { "Ref": "MySecret" }
DatabaseWithSecretAsPassword:
Type: "AWS::RDS::DBInstance"
Properties:
MasterUserPassword:
Fn::Sub: ${DecryptSecret.Plaintext}
```
# Licence
[Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0)
%package -n python3-nitor-vault
Summary: Vault for storing locally encypted data in S3 using KMS keys
Provides: python-nitor-vault
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-pip
%description -n python3-nitor-vault
Command line tools and libraries for encrypting keys and values using client-side encryption with AWS KMS keys.
# Installation
The easiest install is the python package from pypi:
```
pip install nitor-vault
```
Javascript and java versions are available from npm and maven central respectively and installation will depend on your needs.
# Example usage
Initialize vault bucket and other infrastructure: `vault --init`. Will create a CloudFormation stack.
Encrypt a file and store in vault bucket: `vault -s my-key -f <file>`
Decrypt a file: `vault -l <file>`
Encrypt a single value and store in vault bucket `vault -s my-key -v my-value`
Decrypt a single value `vault -l my-key`
## Using encrypted CloudFormation stack parameters
Encrypt a value like this: `$ vault -e 'My secret value'`
The command above will print the base64 encoded value encrypted with your vault KMS key. Use that value in a CF parameter. The value is then also safe to commit into version control and you can use it in scripts for example like this:
```
#!/bin/bash
MY_ENCRYPTED_SECRET="AQICAHhu3HREZVp0YXWZLoAceH1Nr2ZTXoNZZKTriJY71pQOjAHKtG5uYCdJOKYy9dhMEX03AAAAbTBrBgkqhkiG9w0BBwagXjBcAgEAMFcGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYy/tKGJFDQP6f9m1AgEQgCq1E1q8I+btMUdwRK8wYFNyE/5ntICNM96VPDnYbeTgcHzLoCx+HM1cGvc"
UNENCRYPTED_SECRET="$(vault -y $MY_ENCRYPTED_SECRET)"
```
Obviously you need to make sure that in the context of running vault there is some sort of way for providing kms permissions by for example adding the decryptPolicy managed policy from the vault cloudformation stack to the ec2 instance or whatever runs the code.
To decrypt the parameter value at stack creation or update time, use a custom resource:
```
Parameters:
MySecret:
Type: String
Description: Param value encrypted with KMS
Resources:
DecryptSecret:
Type: "Custom::VaultDecrypt"
Properties:
ServiceToken: "arn:aws:lambda:<region>:<account-id>:function:vault-decrypter"
Ciphertext: { "Ref": "MySecret" }
DatabaseWithSecretAsPassword:
Type: "AWS::RDS::DBInstance"
Properties:
MasterUserPassword:
Fn::Sub: ${DecryptSecret.Plaintext}
```
# Licence
[Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0)
%package help
Summary: Development documents and examples for nitor-vault
Provides: python3-nitor-vault-doc
%description help
Command line tools and libraries for encrypting keys and values using client-side encryption with AWS KMS keys.
# Installation
The easiest install is the python package from pypi:
```
pip install nitor-vault
```
Javascript and java versions are available from npm and maven central respectively and installation will depend on your needs.
# Example usage
Initialize vault bucket and other infrastructure: `vault --init`. Will create a CloudFormation stack.
Encrypt a file and store in vault bucket: `vault -s my-key -f <file>`
Decrypt a file: `vault -l <file>`
Encrypt a single value and store in vault bucket `vault -s my-key -v my-value`
Decrypt a single value `vault -l my-key`
## Using encrypted CloudFormation stack parameters
Encrypt a value like this: `$ vault -e 'My secret value'`
The command above will print the base64 encoded value encrypted with your vault KMS key. Use that value in a CF parameter. The value is then also safe to commit into version control and you can use it in scripts for example like this:
```
#!/bin/bash
MY_ENCRYPTED_SECRET="AQICAHhu3HREZVp0YXWZLoAceH1Nr2ZTXoNZZKTriJY71pQOjAHKtG5uYCdJOKYy9dhMEX03AAAAbTBrBgkqhkiG9w0BBwagXjBcAgEAMFcGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYy/tKGJFDQP6f9m1AgEQgCq1E1q8I+btMUdwRK8wYFNyE/5ntICNM96VPDnYbeTgcHzLoCx+HM1cGvc"
UNENCRYPTED_SECRET="$(vault -y $MY_ENCRYPTED_SECRET)"
```
Obviously you need to make sure that in the context of running vault there is some sort of way for providing kms permissions by for example adding the decryptPolicy managed policy from the vault cloudformation stack to the ec2 instance or whatever runs the code.
To decrypt the parameter value at stack creation or update time, use a custom resource:
```
Parameters:
MySecret:
Type: String
Description: Param value encrypted with KMS
Resources:
DecryptSecret:
Type: "Custom::VaultDecrypt"
Properties:
ServiceToken: "arn:aws:lambda:<region>:<account-id>:function:vault-decrypter"
Ciphertext: { "Ref": "MySecret" }
DatabaseWithSecretAsPassword:
Type: "AWS::RDS::DBInstance"
Properties:
MasterUserPassword:
Fn::Sub: ${DecryptSecret.Plaintext}
```
# Licence
[Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0)
%prep
%autosetup -n nitor-vault-0.54
%build
%py3_build
%install
%py3_install
install -d -m755 %{buildroot}/%{_pkgdocdir}
if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
pushd %{buildroot}
if [ -d usr/lib ]; then
find usr/lib -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/lib64 ]; then
find usr/lib64 -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/bin ]; then
find usr/bin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
if [ -d usr/sbin ]; then
find usr/sbin -type f -printf "\"/%h/%f\"\n" >> filelist.lst
fi
touch doclist.lst
if [ -d usr/share/man ]; then
find usr/share/man -type f -printf "\"/%h/%f.gz\"\n" >> doclist.lst
fi
popd
mv %{buildroot}/filelist.lst .
mv %{buildroot}/doclist.lst .
%files -n python3-nitor-vault -f filelist.lst
%dir %{python3_sitelib}/*
%files help -f doclist.lst
%{_docdir}/*
%changelog
* Fri Jun 09 2023 Python_Bot <Python_Bot@openeuler.org> - 0.54-1
- Package Spec generated
|
