{"id":13995957,"url":"https://github.com/cdklabs/aws-secrets-github-sync","last_synced_at":"2025-12-30T09:27:18.582Z","repository":{"id":40551564,"uuid":"403250046","full_name":"cdklabs/aws-secrets-github-sync","owner":"cdklabs","description":"Sync GitHub repository secrets from AWS Secrets Manager","archived":false,"fork":false,"pushed_at":"2025-07-16T14:54:28.000Z","size":3103,"stargazers_count":23,"open_issues_count":2,"forks_count":1,"subscribers_count":17,"default_branch":"main","last_synced_at":"2025-07-16T21:08:47.583Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cdklabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-09-05T08:04:11.000Z","updated_at":"2025-07-16T14:54:30.000Z","dependencies_parsed_at":"2024-02-05T19:32:45.865Z","dependency_job_id":"c187e013-ea3a-45eb-a843-f90dcc2f451c","html_url":"https://github.com/cdklabs/aws-secrets-github-sync","commit_stats":{"total_commits":127,"total_committers":7,"mean_commits":"18.142857142857142","dds":"0.19685039370078738","last_synced_commit":"e2451bf7239028e7f7e81619c50efc56b4e2b885"},"previous_names":[],"tags_count":411,"template":false,"template_full_name":null,"purl":"pkg:github/cdklabs/aws-secrets-github-sync","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdklabs%2Faws-secrets-github-sync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdklabs%2Faws-secrets-github-sync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdklabs%2Faws-secrets-github-sync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdklabs%2Faws-secrets-github-sync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cdklabs","download_url":"https://codeload.github.com/cdklabs/aws-secrets-github-sync/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdklabs%2Faws-secrets-github-sync/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266586030,"owners_count":23952169,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-09T14:03:41.890Z","updated_at":"2025-12-30T09:27:18.576Z","avatar_url":"https://github.com/cdklabs.png","language":"TypeScript","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"readme":"# aws-secrets-github-sync\n\n\u003e Updates GitHub secrets from AWS Secrets Manager.\n\n---\n\n\u003e **Beta**: This project is under active development and is not recommended to\n\u003e use in production environments.\n\nThis utility reads a secret from AWS Secrets Manager and stores the keys from\nthis secret to GitHub repository secrets.\n\nIt is useful to maintain a set of keys across multiple repositories, handle\nrotation, etc.\n\n## Install\n\nThis tool is published as an npm module, so it can be either installed locally\nor globally via:\n\n```shell\nnpm i -g aws-secrets-github-sync\n```\n\nOr any other npm package manager such as yarn, pnpm, etc.\n\n## Prerequisites\n\n* GitHub CLI, logged into your account.\n* AWS credentials configured in your environment\n\n## Usage\n\n### Store your secret in AWS Secrets Manager\n\nUse the AWS CLI or AWS Console to create a secret in AWS Secrets Manager that\nincludes keys that map to GitHub secret names.\n\nFor example, say our AWS Secrets Manager secret looks like this:\n\n```json\n{\n  \"NPM_TOKEN\": \"\u003cmy npm token\u003e\",\n  \"FOOBAR\": \"\u003csome other secret\u003e\"\n}\n```\n\n## Updating Secrets\n\nNow that you have a secret in AWS Secrets Manager, you can use this tool to read\nit and store it in your GitHub repository.\n\nThis can be either done via a config file or via the command line.\n\n```shell\naws-secrets-github-sync -s SECRET [OPTIONS]\n```\n\nOptions:\n\n* `--help` Show help\n* `-s`, `--secret` - The secret ID or ARN of the AWS Secrets Manager secret\n* `-k`, `--keys` (array) - The set of keys to update. Can be invoked multiple\n  times (e.g. `-k NPM_TOKEN -k FOOBAR`). If not specified, all keys from the\n  secret will be stored in the repository.\n* `--prune` - Will delete any secret keys from the repository that are not in\n  AWS Secrets Manager (and not specified in `--keep`). If this is not set, old\n  keys will be retained.\n* `--keep` - Keys to keep instead of pruning (can appear multiple times).\n* `--yes` - Don't ask for user confirmation before the update.\n* `-r`, `--repo` - The GitHub full repository name (e.g.\n  `cdklabs/aws-secrets-github-sync`). If this is not specified, we will try to resolve the\n  repo from the current git settings.\n* `-e`, `--environment` - GitHub environment name to sync secrets to. If specified,\n  secrets will be synced to environment secrets instead of repository secrets.\n* `-R`, `--region` - The AWS region to read the secret from. If this is not\n  specified, `AWS_REGION` will be used. If the secret is an ARN, we will resolve\n  the region from the ARN.\n* `--profile` - specify AWS credentials profile to use.\n\nYou can also specify all options via a configuration file. Here's an example\n`secrets.json`:\n\n```json\n{\n  \"secret\": \"publishing-secrets\",\n  \"environment\": \"production\",\n  \"region\": \"us-east-1\",\n  \"prune\": true,\n  \"keys\": [\n    \"NPM_TOKEN\",\n    \"PROJEN_GITHUB_TOKEN\"\n  ]\n}\n```\n\nAnd then, execute:\n\n```shell\naws-secrets-github-sync -C secrets.json\n```\n\n### Environment Secrets\n\nTo sync secrets to a GitHub environment instead of repository secrets, use the\n`--environment` (or `-e`) option:\n\n```shell\naws-secrets-github-sync -s SECRET -e production --all\n```\n\nThis will sync all keys from the AWS Secrets Manager secret to the \"production\"\nenvironment secrets in your GitHub repository.\n\n## Auditing\n\nAll AWS Secrets Manager activity is [recorded in AWS\nCloudTrail](https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring.html).\nRequests from aws-secrets-github-sync are tagged with a user-agent of\n`aws-secrets-github-sync/$version` so it is possible to find them as needed.\n\n## Contributing\n\nSee our [Contribution Guide](CONTRIBUTING.md) for more information.\n\n## Security\n\nSee [Security Issue Notification](CONTRIBUTING.md#security-issue-notifications) for more information.\n\n## License\n\nThis project is licensed under the Apache-2.0 License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdklabs%2Faws-secrets-github-sync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcdklabs%2Faws-secrets-github-sync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdklabs%2Faws-secrets-github-sync/lists"}