{"id":20999798,"url":"https://github.com/dabblebox/stash","last_synced_at":"2025-05-14T23:31:16.312Z","repository":{"id":49431952,"uuid":"261159480","full_name":"dabblebox/stash","owner":"dabblebox","description":"Manage application configuration stored in cloud services.","archived":false,"fork":false,"pushed_at":"2023-02-25T02:06:20.000Z","size":2961,"stargazers_count":9,"open_issues_count":3,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-03T00:51:52.490Z","etag":null,"topics":["aws","cli","cloud","configs","configuration","configuration-files","configuration-management","dotenv","json","kms","parameter-store","s3","s3-bucket","s3-storage","secrets","secrets-manager","terraform","vault","yaml","yml"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dabblebox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-04T11:40:59.000Z","updated_at":"2024-08-20T05:20:05.000Z","dependencies_parsed_at":"2024-06-20T00:23:50.805Z","dependency_job_id":null,"html_url":"https://github.com/dabblebox/stash","commit_stats":null,"previous_names":["dabblebox/xstore"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dabblebox%2Fstash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dabblebox%2Fstash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dabblebox%2Fstash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dabblebox%2Fstash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dabblebox","download_url":"https://codeload.github.com/dabblebox/stash/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254248147,"owners_count":22038974,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cli","cloud","configs","configuration","configuration-files","configuration-management","dotenv","json","kms","parameter-store","s3","s3-bucket","s3-storage","secrets","secrets-manager","terraform","vault","yaml","yml"],"created_at":"2024-11-19T08:08:19.420Z","updated_at":"2025-05-14T23:31:11.270Z","avatar_url":"https://github.com/dabblebox.png","language":"Go","readme":"# Stash CLI and Go Integration Library\n\nStash provides basic CLI [commands](#commands) and a Go integration [library](#application-integration) to sync, edit, get, and purge configuration files in cloud services instead of working with individual key/value pairs, unique commands, and encryption details specific to each cloud [service](#aws-supported-services). Does using *Stash* improve [security](/SECURITY.md)?\n\n![sync](gifs/sync-config.gif)\n\nStashed files are replaced locally by a `stash.yml` [file](/CATALOG.md) that can be shared and checked into source control safely. `stash.yml` remembers the cloud [service](#aws-supported-services) and file encryption details making editing, restoration, or consumption a single command. There are multiple [AWS methods](/AWS_METHODS.md) that can be considered when consuming configuration.\n\n![BuildNDeploy](https://github.com/dabblebox/stash/workflows/BuildNDeploy/badge.svg)\n[![GoDoc](https://godoc.org/github.com/dabblebox/stash?status.svg)](https://godoc.org/github.com/dabblebox/stash)\n\n\n## AWS Supported Services\n\nWhen stashing configuration files, a cloud service, a.k.a. stash, must be chosen. When a service supports key/value pairs, `.env` and `.json` configuration files can be parsed, stashed individually, and restored as a single file.\n\n|Service|File Types|Encryption|Granting Access|\n|-|-|-|-|\n|[AWS Secrets Manager](https://aws.amazon.com/secretsmanager/)|.env, .json, .js, .ts, .yml, .xml, .sql, .cert, id_rsa|[KMS](https://aws.amazon.com/kms/)|[Secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html#permissions_grant-get-secret-value-to-one-secret)|\n|[AWS Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)|.env|[KMS](https://aws.amazon.com/kms/)|[Parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html)|\n|[AWS S3 Storage](https://aws.amazon.com/s3/)|*|[KMS](https://aws.amazon.com/kms/)|[Files](https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/)|\n\n## Get Started\n\n1. Install CLI\n\n```bash\n$ curl -s https://raw.githubusercontent.com/dabblebox/stash/master/install.io | sh\n```\n\n2. Manage Configuration\n\n```bash\n$ export AWS_REGION=us-east-1\n$ export AWS_PROFILE=user-profile-devops\n\n# sync configs\n$ stash sync config/dev/.env\n\n# edit configs\n$ stash edit -t dev\n\n# get configs\n$ stash get -t dev\n\n# generate Terraform\n$ stash get -t dev -o terraform\n```\nFor authentication, see [Specifying Credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) in the AWS SDK for Go documentation.\n\n## Commands\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash sync\u003c/summary\u003e\n\n![sync](gifs/sync-config.gif)\n\nUpload and sync new or modified configuration files to a cloud service.\n\nCommand:\n```bash\nstash sync [\u003cfile_path\u003e|\u003cregex\u003e...] [flags]\n```\n\nExamples:\n```bash\n# file paths\n$ stash sync config/dev/.env config/qa/.env\n\n# regular expressions (escape \\backslashes or 'quote' expressions)\n$ stash sync .*\\\\.env$ .*\\\\.json$\n```\n\n|Flag|Short|Example|Default|Description|\n|-|-|-|-|-|\n|--file|-f| slickapp.yml |stash.yml|catalog path with file name|\n|--context|-c| slickapp |parent folder|prefix for cloud service keys|\n|--service|-s| secrets-manager, parameter-store, s3 ||cloud service|\n|--tags|-t| config,dev,app|file path and name|file reference tags|\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash edit\u003c/summary\u003e\n\n![sync](gifs/edit-config.gif)\n\nDownload and open configuration inside an editor. When the file is closed after modifications, sync with the cloud service.\n\nOptionally set preferred editor. (default: `vim`)\n```bash\n$ export EDITOR=\"code\"\n```\n\nCommand:\n```bash\nstash edit [\u003cfile_path\u003e...] [flags]\n```\n\nExamples:\n```bash\n# browse\n$ stash edit\n\n# file paths\n$ stash edit config/dev/.env config/qa/.env\n\n# file tags\n$ stash edit -t config,dev\n```\n\n|Flag|Short|Example|Description|\n|-|-|-|-|\n|--file|-f| stash.yml|catalog path with file name|\n|--service|-s| secrets-manager, parameter-store, s3 |cloud service|\n|--tags|-t| config,dev,app|file reference tags|\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash get\u003c/summary\u003e\n\n![download](gifs/get-config.gif)\n\nDownload configuration files and apply optional transformations to the config. By default, the files are sent to `stdout` allowing the config to be piped anywhere including a new file location. The files can be restored to their original folder locations using the flag, `-o file`. \n\n**IMPORTANT**: When restoring configuration for a service, make sure configuration is not printed anywhere or sent to logs via `stdout`.\n\nCommand:\n```bash\nstash get [\u003cfile_path\u003e...] [flags]\n```\n\nExamples:\n```bash\n# by file paths\n$ stash get config/dev/.env config/qa/.env \n\n# by file tags\n$ stash get -t config,dev\n\n# by cloud service\n$ stash get -s s3\n\n# restore original files\n$ stash get -o file\n\n# create new files\n$ stash get \u003e\u003e .env\n\n# apply data transformation\n$ stash get -o json \u003e\u003e .env\n\n# export environment variables\n$ eval $( stash get -t dev -o terminal-export )\n```\n\n|Flag|Short|Example|Description|\n|-|-|-|-|\n|--file|-f| stash.yml|catalog path with file name|\n|--service|-s| secrets-manager, parameter-store, s3 |cloud service|\n|--tags|-t| config,dev,app|file reference tags|\n|--output|-o| terminal-export|configuration output|\n\n#### Configuration Outputs\n\nUsing the `--output` or `-o` flag, the stashed configuration can be downloaded, transformed or replaced, and sent to `stdout`. Each service supports specific outputs and file types as charted below. When the output flag is omitted, the original file data is sent to `stdout`.\n\n||Secrets Manager|Parameter Store| S3 Storage| | |\n|-|-|-|-|-|-|\n|file|*|*|*|file system|original file|\n|terraform|*|*|*|file system|[terraform scripts](/TERRAFORM.md)|\n|ecs-task-inject-json|*|*|.env|stdout|AWS ECS task definition [secrets](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) / [envfile](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html) (JSON) (key/arn)|\n|ecs-task-inject-env|*|*|.env|stdout|AWS ECS task definition [secrets](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) / [envfile](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html) (ENV) (key/arn)|\n|ecs-task-env|.env|.env|.env|stdout|AWS ECS task definition [environment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment) (JSON) (key/value)|\n|json|.env|.env|.env|stdout|JSON object|\n|terminal-export-literal|.env|.env|.env|stdout|prepend \"export \" to each key/value pair (single quotes)|\n|terminal-export|.env|.env|.env|stdout|prepend \"export \" to each key/value pair (double quotes)|\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash purge\u003c/summary\u003e\n\n![purge](gifs/purge-config.gif)\n\nPurge permanently deletes files stashed in a cloud service.\n\nCommand:\n```bash\nstash purge [\u003cfile_path\u003e...] [flags]\n```\n\nExamples:\n```bash\n# by file names\n$ stash purge config/dev/.env config/qa/.env \n\n# by file tags\n$ stash purge -t config,dev\n\n# by cloud service\n$ stash purge -s s3\n```\n\n|Flag|Short|Example|Description|\n|-|-|-|-|\n|--file|-f| stash.yml|catalog path with file name|\n|--service|-s| secrets-manager, parameter-store, s3 |cloud service|\n|--tags|-t| config,dev,app|file reference tags|\n|--warn|-s|false|skips warning prompts|\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash clean\u003c/summary\u003e\n\n![clean](gifs/clean-config.gif)\n\nClean deletes tracked local files to avoid secrets remaining on developer machines.\n\nCommand:\n```bash\nstash clean [\u003cfile_path\u003e...] [flags]\n```\n\nExamples:\n```bash\n# by file names\n$ stash clean config/dev/.env config/qa/.env \n\n# by file tags\n$ stash clean -t config,dev\n\n# by cloud service\n$ stash clean -s s3\n```\n\n|Flag|Short|Example|Description|\n|-|-|-|-|\n|--file|-f| stash.yml|catalog path with file name|\n|--service|-s| secrets-manager, parameter-store, s3 |cloud service|\n|--tags|-t| config,dev,app|file reference tags|\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash list\u003c/summary\u003e\n\n![list](gifs/list-config.gif)\n\nList displays tracked files, tags, and cloud service keys.\n\nCommand:\n```bash\nstash list [\u003cfile_path\u003e...] [flags]\n```\n\nExamples:\n```bash\n# all\n$ stash list\n\n# by file names\n$ stash list config/dev/.env config/qa/.env \n\n# by file tags\n$ stash list -t config,dev\n\n# by cloud service\n$ stash list -s s3\n```\n|Flag|Short|Example|Description|\n|-|-|-|-|\n|--file|-f| stash.yml|catalog path with file name|\n|--service|-s| secrets-manager, parameter-store, s3 |cloud service|\n|--tags|-t| config,dev,app|file reference tags|\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash tag\u003c/summary\u003e\n\n![tag](gifs/tag-config.gif)\n\nTags identify or group stashed files in the `stash.yml` catalog allowing actions to be performed against file groups.\n\nCommand:\n```bash\nstash tag [\u003cfile_path\u003e...] [flags]\n```\n\nExamples:\n```bash\n# overwrite tags\n$ stash tag config/dev/.env config/qa/.env -t app,non-prod\n\n# add tag\n$ stash tag -a non-prod\n\n# delete tag\n$ stash tag -d config\n\n# add tag by tags\n$ stash tag -t non-prod -a config\n\n# add tag by service\n$ stash tag -s s3 -a config\n```\n\n|Flag|Short|Example|Description|\n|-|-|-|-|\n|--file|-f| stash.yml|catalog path with file name|\n|--service|-s| secrets-manager, parameter-store, s3 |cloud service|\n|--tags|-t| config,dev,app|file reference tags|\n|--add|-a|app,non-prod|add tags|\n|--delete|-d|app,non-prod|delete tags|\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e$ stash inject\u003c/summary\u003e\n\nAfter updating Secrets Manager or Parameter Store through `$ stash sync` or manually in the AWS Console, the stashed values can be injected into a configuration file locally or in a running container.\n\nAdd tokens to any configuration file using `${SECRET_NAME::SECRET_KEY}` for Secrets Manager or `${PARAM_PATH::PARAM_NAME}` for Parameter Store.\n\nExample `config.json`\n```json\n{\n  \"db_user\": \"${app/dev/db::user}\",\n  \"db_password\": \"${app/dev/db::password}\",\n}\n```\n\nInject secrets from the specified stash, `-s secrets-manager`, into the configuration file, `config.json`. The `inject` command does not require a `stash.yml` catalog file.\n\nCommand:\n```bash\nstash inject [\u003cfile_path\u003e...] [flags]\n```\n\nExamples:\n```bash\n$ stash inject config.json -s secrets-manager\n```\n\n|Flag|Short|Example|Description|\n|-|-|-|-|\n|--service|-s| secrets-manager, parameter-store, s3 |cloud service|\n|--output|-o| terminal-export|file output format|\n\n\u003c/details\u003e\n\n## Environment Variables\n\n\u003cdetails\u003e\n  \u003csummary\u003eOverride Catalog Fields\u003c/summary\u003e\n\nAny field in `stash.yml` can be overridden when exported before using `$ stash get`. (use \"`_`\" to access children)\n\nS3 Bucket Example\n```yaml\nfiles:\n  sample_dev__env:\n    path: sample/dev/.env\n    type: env\n    stash: s3\n    opt:\n      s3_bucket: configs\n```\n```bash\n$ export STASH_FILES_SAMPLE_DEV__ENV_OPT_S3_BUCKET=new-configs\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003eTemplate Catalog Files\u003c/summary\u003e\n\nAdditional template files can be added to the catalog to allow environment variable expansion when getting configuration for an application. This is useful when the `stash.yml` file cannot be aware of all application environments during the artifact/image build step.\n\n```bash\n$ export ENV=dev\n$ export VERSION=v1.0.0\n```\n\n```yaml\nfiles:\n  template:\n    path: sample/${VERSION}/${ENV}/.env\n    type: env\n    stash: s3\n    tags:\n    - config\n```\n\n```bash\n$ stash get -t config\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003eSet Defaults / Override Prompts\u003c/summary\u003e\n\nWhen syncing files, setting environment variables will override prompts.\n\n|Variable|default|Description|\n|-|-|-|\n|`STASH_CATALOG`| `stash.yml` |name of the catalog file|\n|`STASH_CONTEXT`| working directory |prefix for cloud keys|\n|`STASH_KMS_KEY_ID`| Default Account Key |KMS Key ID or Default Account Key|\n|`STASH_S3_BUCKET`| |S3 bucket name|\n|`STASH_SERVICE`| prompt user |cloud service|\n|`STASH_WARN`| `true` |confirm purge|\n\n\u003c/details\u003e\n\n## Application Integration\n\n\u003cdetails\u003e\n  \u003csummary\u003eGet Config\u003c/summary\u003e\n\n```go\npackage main\n\nimport (\n\t\"log\"\n\n\t\"github.com/dabblebox/stash\"\n\t\"github.com/dabblebox/stash/component/output\"\n)\n\nconfig, err := stash.GetMap(stash.GetOptions{})\nif err != nil {\n  log.Fatal(err)\n}\n\nfor k, v := range config {\n  log.Printf(\"%s=%s\\n\", k, v)\n}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003eInject Config\u003c/summary\u003e\n\n```go\npackage main\n\nimport (\n\t\"log\"\n\n\t\"github.com/dabblebox/stash\"\n\t\"github.com/dabblebox/stash/component/output\"\n)\n\nfiles, err := stash.Inject(stash.InjectOptions{\n  Files: []string{\"config.json\"}\n})\nif err != nil {\n  log.Fatal(err)\n}\n\nfor _, f := range files {\n  log.Printf(\"%s\\n\", string(f.Data))\n}\n```\n\u003c/details\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdabblebox%2Fstash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdabblebox%2Fstash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdabblebox%2Fstash/lists"}