{"id":28211544,"url":"https://github.com/enfogroup/aws-secrets","last_synced_at":"2026-05-10T02:44:21.019Z","repository":{"id":38458220,"uuid":"408470996","full_name":"enfogroup/aws-secrets","owner":"enfogroup","description":"NPM package wrapper around SSM, KMS and Secrets Manager for getting parameters/secrets and caching them","archived":false,"fork":false,"pushed_at":"2023-07-10T11:54:09.000Z","size":1665,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-17T11:07:31.271Z","etag":null,"topics":["aws","cache","kms","npm-package","secretsmanager","ssm"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/enfogroup.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-09-20T14:15:08.000Z","updated_at":"2023-07-18T09:07:07.000Z","dependencies_parsed_at":"2022-08-19T18:41:12.180Z","dependency_job_id":null,"html_url":"https://github.com/enfogroup/aws-secrets","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enfogroup%2Faws-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enfogroup%2Faws-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enfogroup%2Faws-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enfogroup%2Faws-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/enfogroup","download_url":"https://codeload.github.com/enfogroup/aws-secrets/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enfogroup%2Faws-secrets/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259056008,"owners_count":22798858,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cache","kms","npm-package","secretsmanager","ssm"],"created_at":"2025-05-17T18:09:37.591Z","updated_at":"2026-05-10T02:44:15.967Z","avatar_url":"https://github.com/enfogroup.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Introduction\n\nThis package exposes functionality for getting data from SSM, Secrets Manager and KMS. All values can be cached for further use.\n\n## Installation\n\n```bash\nnpm install @enfo/aws-secrets --save\n```\n\nThe AWS SDK v3 clients for SSM, Secrets Manager and KMS are all peer dependencies and must be installed by you.\n\n```bash\nnpm install @aws-sdk/client-ssm @aws-sdk/client-kms @aws-sdk/client-secrets-manager --save-dev\n```\n\n## Available caches\n\nThis package exposes wrappers for three AWS secrets services: SSMCache, SecretsManagerCache and KMSCache. All three are built for retrieving and caching a value. All retrieval methods use extensions of the underlying AWS SDK method. This is the cause for the weird mismatch of camelCase and PascalCase in the request bodies. The caches have the same constructor parameters:\n\n* region - region from which the values should be retrieved\n* defaultTTL - optional default TTL to use on all requests. Defaults to 0 which means a value will be cached for as long as the node process lives\n\n## SSMCache\n\nSSMCache can retrieve and cache parameters from SSM. Parameters of type String, SecureString and StringList are supported. Three methods for getting parameters are available:\n\n* getParameter - Returns value for a specific parameter\n* getStringListParameter - Returns value for a specific StringList parameter and splits on \",\"\n* getParametersByPath - Returns parameters based on path. This method is overloaded and supports getting all parameters or responding with an AWS pagination response. The cacheKey on this method is questionable and should probably be set by the client making the request\n\nThese are the configuration options on the getParameter and getStringListParameter method:\n\n* All parameters from SSM.GetParameterRequest except WithDecryption which is set to true\n* region (optional) - region to fetch parameter from. Defaults to region set in constructor\n* ttl (optional) - ttl to use when caching the parameter. Defaults to 0 (forever) or defaultTTL if specified in the constructor\n* cacheKey (optional) - key used for caching. Default: Name\n\nThese are the configuration options on the getParametersByPath method when getting all parameters\n\n* All parameters from SSM.GetParametersByPath except MaxResults, NextToken and WithDecryption which is set to true\n* getAll - parameter indicating that all parameters should be returned. Must be set to true\n* region (optional) - region to fetch parameter from. Defaults to region set in constructor\n* ttl (optional) - ttl to use when caching the parameter. Defaults to 0 (forever) or defaultTTL if specified in the constructor\n* cacheKey (optional) - key used for caching. Default: Path\n\nThese are the configuration options on the getParametersByPath method when getting a paginated response\n\n* All parameters from SSM.GetParametersByPath except WithDecryption which is set to true\n* region (optional) - region to fetch parameter from. Defaults to region set in constructor\n* ttl (optional) - ttl to use when caching the parameter. Defaults to 0 (forever) or defaultTTL if specified in the constructor\n* cacheKey (optional) - key used for caching. Default: Path + NextToken (if present) \n\n### Examples\n\n```typescript\nimport { SSMCache } from '@enfo/aws-secrets'\n\nconst ssmCache = new SSMCache({ region: 'eu-west-1' })\n\nconst foo = async () =\u003e {\n   // retrieved and cached forever\n  const myParameter = await ssmCache.getParameter({ Name: 'my-parameter' })\n\n  // @enfo/aws-secrets handles the splitting on \",\"\n  const myListParameter = await ssmCache.getStringListParameter({ Name: 'my-list-parameter' })\n  const allPathResponse = await ssmCache.getParametersByPath({ Path: '/a', getAll: true }) // responds with a list of strings\n  const paginatedPathResponse = await ssmCache.getParametersByPath({ Path: '/b' }) // responds with a GetParametersByPathCommandOutput object\n\n  ssmCache.setDefaultTTL(10)\n   // cached for 10 seconds\n  const anotherParameter = await ssmCache.getParameter({ Name: 'my-other-parameter' })\n\n  // retrieved from 'us-east-2', cached for 20 minutes using the key 'coolKey'\n  const thirdParameter = await ssmCache.getParameter({ Name: 'third-parameter', ttl: 1200, region: 'us-east-2', cacheKey: 'coolKey'})\n\n  // no request is made to SSM since this is cached\n  await ssmCache.getParameter({ Name: 'my-parameter'})\n}\n```\n\n## SecretsManagerCache\n\nSecretsManagerCache can retrieve and cache parameters from SecretsManager. Two methods for getting secrets are available:\n\n* getSecretAsString - returns the secret value as string\n* getSecretAsJSON - returns the secret value as JSON. You can specify the interface as which the secret should be returned\n\nThese are the configuration options on the getSecretAsString and getSecretAsJSON methods:\n\n* All keys from SecretsManager.GetSecretValueRequest\n* region (optional) - region to fetch secret from. Defaults to region set in constructor\n* ttl (optional) - ttl to use when caching the secret. Defaults to 0 (forever) or defaultTTL if specified in the constructor\n* cacheKey (optional) - key used for caching. Default: SecretId\n\n### Examples\n\n```typescript\nimport { SecretsManagerCache } from '@enfo/aws-secrets'\n\nconst secretsManagerCache = new SecretsManagerCache({ region: 'eu-west-1' })\n\nconst foo = async () =\u003e {\n   // retrieved and cached forever\n  const myValue = await secretsManagerCache.getSecretAsString({ SecretId: 'my-secret' })\n\n  secretsManagerCache.setDefaultTTL(10)\n   // cached for 10 seconds\n  const anotherValue = await secretsManagerCache.getSecretAsString({ SecretId: 'my-other-secret' })\n\n  // retrieved from 'us-east-2', cached for 20 minutes using the key 'coolKey'\n  const thirdValue = await secretsManagerCache.getSecretAsString({ SecretId: 'third-secret', ttl: 1200, region: 'us-east-2', cacheKey: 'coolKey' })\n\n  // no request is made to SecretsManager since this is cached\n  await secretsManagerCache.getSecretAsString({ SecretId: 'my-secret'})\n\n  interface MyData {\n    a: number;\n    b: string;\n  }\n  const jsonValue = await secretsManagerCache.getSecretAsJSON\u003cMyData\u003e({ SecretId: 'fourth-secret' })\n}\n```\n\n## KMSCache\n\nKMSCache can decrypt and cache cipher texts. Two method are available:\n\n* decrypt - decrypts a cipher text and returns the value as string\n* decryptAsJSON - decrypts a cipher text and returns it as JSON. You can specify the interface as which the value should be returned\n\nThese are the configuration options on the decrypt and decryptAsJSON methods:\n\n* All keys from KMS.DecryptRequest\n* region (optional) - region to fetch secret from. Defaults to region set in constructor\n* ttl (optional) - ttl to use when caching the secret. Defaults to 0 (forever) or defaultTTL if specified in the constructor\n* cacheKey (optional) - key used for caching. Default: CiphertextBlob\n\n### Examples\n\nThe below examples do not use real CiphertextBlobs but just dummy values.\n\n```typescript\nimport { KMSCache } from '@enfo/aws-secrets'\n\nconst kmsCache = new KMSCache({ region: 'eu-west-1' })\n\nconst foo = async () =\u003e {\n   // retrieved and cached forever\n  const myValue = await kmsCache.decrypt({ CiphertextBlob: Buffer.from('AQIa...==', 'base64') })\n\n  kmsCache.setDefaultTTL(10)\n   // cached for 10 seconds\n  const anotherValue = await kmsCache.decrypt({ CiphertextBlob: Buffer.from('AQIb...==', 'base64') })\n\n  // retrieved from 'us-east-2', cached for 20 minutes using the key 'thirdValue'\n  const thirdValue = await kmsCache.decrypt({ Buffer.from('AQIc...==', 'base64'), ttl: 1200, region: 'us-east-2', cacheKey: 'thirdValue' })\n\n  // no request is made to KMS since this is cached from the first request\n  await kmsCache.decrypt({ CiphertextBlob: Buffer.from('AQIa...==', 'base64') })\n\n  interface MyData {\n    a: number;\n    b: string;\n  }\n  const jsonValue = await kmsCache.decryptAsJSON\u003cMyData\u003e({ CiphertextBlob: Buffer.from('AQId...==', 'base64') })\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenfogroup%2Faws-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fenfogroup%2Faws-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenfogroup%2Faws-secrets/lists"}