{"id":18866262,"url":"https://github.com/nordcloud/serverless-kms-secrets","last_synced_at":"2025-04-09T14:15:53.257Z","repository":{"id":20891135,"uuid":"91198769","full_name":"nordcloud/serverless-kms-secrets","owner":"nordcloud","description":"🔑🔐☁️ Serverless plugin to encrypt variables with KMS (DEPRECATED)","archived":false,"fork":false,"pushed_at":"2023-09-27T20:23:31.000Z","size":663,"stargazers_count":113,"open_issues_count":27,"forks_count":9,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-02T10:41:15.649Z","etag":null,"topics":["encrypting-variables","kms-secrets","serverless-framework","serverless-plugin"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nordcloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-13T19:41:45.000Z","updated_at":"2024-07-21T19:04:57.000Z","dependencies_parsed_at":"2024-06-18T20:00:29.434Z","dependency_job_id":null,"html_url":"https://github.com/nordcloud/serverless-kms-secrets","commit_stats":{"total_commits":38,"total_committers":6,"mean_commits":6.333333333333333,"dds":0.2894736842105263,"last_synced_commit":"c41f052b18b90481e9814243b95357f760020ff1"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nordcloud%2Fserverless-kms-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nordcloud%2Fserverless-kms-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nordcloud%2Fserverless-kms-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nordcloud%2Fserverless-kms-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nordcloud","download_url":"https://codeload.github.com/nordcloud/serverless-kms-secrets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248054194,"owners_count":21039952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encrypting-variables","kms-secrets","serverless-framework","serverless-plugin"],"created_at":"2024-11-08T05:06:05.321Z","updated_at":"2025-04-09T14:15:53.234Z","avatar_url":"https://github.com/nordcloud.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Serverless KMS Secrets (DEPRECATED)\n\nA Serverless Plugin for the [Serverless Framework](http://www.serverless.com) which\nhelps with encrypting service secrets using the AWS Key Management Service (KMS)\n\n**THIS MODULE IS  NO LONGER MAINTAINED. The best practice for managing secrets, also supported out-of-the-box by Serverless Framework, is to use the AWS SSM parameter store. See https://serverless.com/framework/docs/providers/aws/guide/variables/#reference-variables-using-the-ssm-parameter-store**\n\n## Introduction\n\nThis plugins does the following:\n\n* It provides commands to encrypt and decrypt secrets with KMS\n\n## Installation and configuration\n\nIn your service root, run:\n\n```bash\nnpm install --save-dev serverless-kms-secrets\n```\n\nAdd the plugin to `serverless.yml`:\n\n```yml\nplugins:\n  - serverless-kms-secrets\n```\n\nConfigure the plugin into the custom block in `serverless.yml`. For example:\n\n```yml\ncustom:\n  serverless-kms-secrets:\n    secretsFile: kms-secrets.${opt:stage, self:provider.stage}.${opt:region, self:provider.region}.yml (optional)\n  kmsSecrets: ${file(kms-secrets.${opt:stage, self:provider.stage}.${opt:region, self:provider.region}.yml)}\n```\n\nBy default, the plugin creates secrets to the file kms-secrets.[stage].[region].yml. This can be overriden with the secretsFile parameter in the serverless-kms-secrets configuration.\n\nAdd Decrypt permissions to your lambda function with e.g. this block in IamRoleStatements:\n\n```yml\n    - Effect: Allow\n      Action:\n      - KMS:Decrypt\n      Resource: ${self:custom.kmsSecrets.keyArn} \n```\n\n## Usage\n\n### Creating KMS Key\n\nCreate a KMS key in AWS IAM service, under Encryption keys. Collect the key id, which is the remaining part of the key ARN.\n\n### Encrypting Variables\n\nTo encrypt a variable using the key defined in the configuration, enter\n```\nsls encrypt -n VARIABLE_NAME -v myvalue [-k keyId]\n```\n\ne.g.\n\n```\nsls encrypt -n SLACK_API_TOKEN -v xoxp-1234567890-1234567890-123467890-a12346 -k 999999-9999-99999-999\n```\nThe keyid (-k) parameter is mandatory for the first encrypted variable, but optional for the later ones (will be read from the secrets file).\nThe encrypted variable is written to your secrets file (kms-secrets.[stage].[region].yml by default)\n\nYou may also pack multiple secrets into one KMS encrypted string. This simplifies consuming the secrets in the Lambda function since all secrets can be decrypted with one single KMS.Decrypt call. To encrypt multiple secrets into one single string, use the following notation:\n\n```\nsls encrypt -n VARIABLE_NAME:SECRET_NAME -v myvalue [-k keyId]\n```\n\ne.g.\n\n```\nsls encrypt -n SECRETS:SLACK_API_TOKEN -v xoxp-1234567890-1234567890-123467890-a12346 -k 999999-9999-99999-999\n```\n\nWould encrypt and add the SLACK_API_TOKEN into the (JSON) secret SECRETS.\n\nNOTE: you may get warnings about the missing kms-secrets file when encrypting your first variables for a specific stage / region. The warning will go away once the file has been created by the plugin.\n\n### Decrypting Variables\n\nThe variables in the secrets file can be decrypted using\n\n```\nsls decrypt [-n VARIABLE_NAME]\n```\n\nThe -n option is optional. Without that, all variables are decrypted and displayed in clear text on the console.\n\n### Using variables\n\nPass the variables stored in the secrets file e.g. as environment variables using\n\n```yml\n  environment:\n    MY_VARIABLE: ${self:custom.kmsSecrets.secrets.MY_VARIABLE}\n```\n\nThe variable must be decrypted in the Lambda function using the KMS decrypt method. E.g.\n\n```js\nkms.decrypt({\n  CiphertextBlob: Buffer(process.env.MY_VARIABLE, 'base64')\n}).promise()\n.then(data =\u003e {\n  const decrypted = String(data.Plaintext)\n})\n```\n\nIf MY_VARIABLE consists of multiple variables, decode it using\n\n```js\n  const secrets = JSON.parse(decrypted);\n```\n\n## TODO\n\n* Add support for sls deploy (deploy as KMS encrypted environment variables)\n* Ease configuration (KeyIds / Arns in various places)\n\n## Release History\n\n* 2019/02/24 - v1.0.4 - Fix issue with serverless 1.33\n* 2017/09/09 - v1.0.0 - Add support for multisecret structures\n* 2017/05/13 - v0.9.0 - Initial version\n\n\n## License\n\nCopyright (c) 2017 [Nordcloud](https://nordcloud.com/), licensed for users and contributors under MIT license.\nhttps://github.com/nordcloud/serverless-kms-secrets/blob/master/LICENSE\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnordcloud%2Fserverless-kms-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnordcloud%2Fserverless-kms-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnordcloud%2Fserverless-kms-secrets/lists"}