{"id":16341526,"url":"https://github.com/psibi/rucredstash","last_synced_at":"2025-07-10T12:39:18.834Z","repository":{"id":44380774,"uuid":"217748148","full_name":"psibi/rucredstash","owner":"psibi","description":"Utility for managing credentials securely in AWS cloud","archived":false,"fork":false,"pushed_at":"2023-06-15T06:03:45.000Z","size":354,"stargazers_count":19,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-11T23:59:38.883Z","etag":null,"topics":["aws","rust","secret","secret-management"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/psibi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-10-26T17:54:45.000Z","updated_at":"2023-07-13T18:34:26.000Z","dependencies_parsed_at":"2022-07-14T13:20:55.562Z","dependency_job_id":null,"html_url":"https://github.com/psibi/rucredstash","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psibi%2Frucredstash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psibi%2Frucredstash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psibi%2Frucredstash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psibi%2Frucredstash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/psibi","download_url":"https://codeload.github.com/psibi/rucredstash/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221665165,"owners_count":16860186,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","rust","secret","secret-management"],"created_at":"2024-10-10T23:59:40.766Z","updated_at":"2024-10-27T10:49:06.852Z","avatar_url":"https://github.com/psibi.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Rucredstash\n\n[![Crates.io][crates-badge]][crates-url]\n[![MIT licensed][mit-badge]][mit-url]\n[![Rust](https://github.com/psibi/rucredstash/actions/workflows/rust.yml/badge.svg)](https://github.com/psibi/rucredstash/actions/workflows/rust.yml)\n\n[crates-badge]: https://img.shields.io/crates/v/credstash.svg\n[crates-url]: https://crates.io/crates/credstash\n[mit-badge]: https://img.shields.io/badge/license-MIT-blue.svg\n[mit-url]: LICENSE\n\n\u003c!-- markdown-toc start - Don't edit this section. Run M-x markdown-toc-refresh-toc --\u003e\n**Table of Contents**\n\n- [Rucredstash](#rucredstash)\n- [Introduction](#introduction)\n- [Usage](#usage)\n- [Installation](#installation)\n- [Infrastructure Setup](#infrastructure-setup)\n- [Usage Examples](#usage-examples)\n    - [Different way of passing AWS Credentials](#different-way-of-passing-aws-credentials)\n    - [Other usage examples](#other-usage-examples)\n        - [Put secret value](#put-secret-value)\n        - [Get secret value](#get-secret-value)\n        - [Get all secret values](#get-all-secret-values)\n        - [List credentials with other metadata](#list-credentials-with-other-metadata)\n        - [Get all keys](#get-all-keys)\n        - [Delete a specific key](#delete-a-specific-key)\n        - [Put a bunch of secrets (putall subcommand)](#put-a-bunch-of-secrets-putall-subcommand)\n\n\u003c!-- markdown-toc end --\u003e\n\n# Introduction\n\nRucredstash is a Rust port of [CredStash](https://github.com/fugue/credstash)\n\nIt uses a combination of AWS Key Management Service (KMS) and DynamoDB\nto store secrets. This is needed when you want to store and retrieve\nyour credentials (like database password, API Keys etc) securely. A\nmore [detailed\ntutorial](https://www.fpcomplete.com/blog/2017/08/credstash) is here.\n\nThis package offers the interface via both CLI and an library way of\naccessing it. The CLI is meant as a drop in replacement of the\noriginal credstash program and therefore it tries to have the exact\ninterface as the original program.\n\n# Usage\n\n``` shellsession\nrucredstash 0.8.0\nSibi Prabakaran\nA credential/secret storage system\n\nUSAGE:\n    rucredstash [OPTIONS] [SUBCOMMAND]\n\nFLAGS:\n    -h, --help       Prints help information\n    -V, --version    Prints version information\n\nOPTIONS:\n    -a, --arn \u003cARN\u003e                  AWS IAM ARN for AssumeRole\n    -m, --mfa_serial \u003cMFA_SERIAL\u003e    Optional MFA hardware device serial number or virtual device ARN\n    -p, --profile \u003cPROFILE\u003e          Boto config profile to use when connecting to AWS\n    -r, --region \u003cREGION\u003e            the AWS region in which to operate. If a region is not specified, credstash will\n                                     use the value of the AWS_DEFAULT_REGION env variable, or if that is not set, the\n                                     value in `~/.aws/config`. As a last resort, it will use us-east-1\n    -t, --table \u003cTABLE\u003e              DynamoDB table to use for credential storage. If not specified, credstash will use\n                                     the value of the CREDSTASH_DEFAULT_TABLE env variable, or if that is not set, the\n                                     value `credential-store` will be used\n\nSUBCOMMANDS:\n    delete    Delete a credential from the store\n    get       Get a credential from the store\n    getall    Get all credentials from the store\n    help      Prints this message or the help of the given subcommand(s)\n    keys      List all keys in the store\n    list      List credentials and their versions\n    put       Put a credential into the store\n    putall    Put credentials from json or file into the store\n    setup     setup the credential store\n```\n\n# Installation\n\nSee Github releases: https://github.com/psibi/rucredstash/releases\n\nExecutables are available for all the three major platforms: Linux, Windows and MacOS.\n\n# Infrastructure Setup\n\nFor `rucredstash` to work, you need to setup the following AWS\ninfrastrucutre:\n\n* Create Customer manged keys (CMK) key\n  - Services =\u003e KMS =\u003e Create Key =\u003e Input \"credstash\" for Key Alias\n* Create DynamoDB table\n  - rucredstash setup\n\n# Usage Examples\n\n## Different way of passing AWS Credentials\n\nThe most simple case is to export the proper environment variable and use it:\n\n``` shellsession\n$ export AWS_ACCESS_KEY_ID=xxxx\n$ export AWS_SECRET_ACCESS_KEY=xxxx\n$ rucredstash list\nhello            -- version 0000000000000000001 --comment\nhellehllobyegood -- version 0000000000000000001 --comment\nhello1           -- version 0000000000000000001 --comment\n```\n\nNote that `rucredstash` by default uses\n[DefaultCredentialsProvider](https://docs.rs/rusoto_credential/0.42.0/rusoto_credential/struct.DefaultCredentialsProvider.html),\nso your credentials will be based on that. But it even allows other\ncomplex usage scenarios:\n\n``` shellsession\n$ export AWS_ACCESS_KEY_ID=xxxx\n$ export AWS_SECRET_ACCESS_KEY=xxxx\n$ rucredstash --arn arn:aws:iam::786946123934:role/admin --mfa_serial arn:aws:iam::786946123934:mfa/sibi --region us-west-2 list\nEnter MFA Code: xxxxx\nhello            -- version 0000000000000000001 --comment\nhellehllobyegood -- version 0000000000000000001 --comment\nhello1           -- version 0000000000000000001 --comment\n```\n\nNote that the MFA functionality isn't present in the original\ncredstash program (the Python program). You can also use programs like\n[aws-env](https://github.com/fpco/devops-helpers/blob/master/doc/aws/aws-env.md)\nand use this tool. Example:\n\n``` shellsession\n$ aws-env rucredstash list\nhello            -- version 0000000000000000001 --comment\nhellehllobyegood -- version 0000000000000000001 --comment\nhello1           -- version 0000000000000000001 --comment\n```\n\n## Other usage examples\n\n### Put secret value\n\n``` shellsession\n$ rucredstash put hello world\nhello has been stored\n```\n\nYou can also use the encryption context associated with the\ncredential:\n\n``` shellsession\n$ rucredstash put nasdaq nifty500 market=world\nnasdaq has been stored\n```\n\nOr even multiple encryption contexts:\n\n``` shellsession\n$ rucredstash put vanguard vanguardsecret market=world indexfunds=us\nvanguard has been stored\n```\n\n### Get secret value\n\n``` shellsession\n$ rucredstash get hello1\nworld1\n```\n\nNow let's also try to retrieve using the encryption context:\n\n``` shellsession\n$ rucredstash get nasdaq market=world\nnifty500\n```\n\nAnd using multiple encryption context:\n\n``` shellsession\n$ rucredstash get vanguard market=world indexfunds=us\nvanguardsecret\n```\n\n### Get all secret values\n\n``` shellsession\n$ rucredstash getall\n{\n  \"hellehllobyegood\": \"dam\",\n  \"hello\": \"world\",\n  \"hello1\": \"world1\"\n}\n```\n\nYou can get that in other formats too:\n\n``` shellsession\n$ rucredstash getall --format yaml\nhello: world\nhellehllobyegood: dam\nhello1: world1\n```\n\n### List credentials with other metadata\n\n``` shellsession\n$ rucredstash list\nhello            -- version 0000000000000000001 --comment\nhellehllobyegood -- version 0000000000000000001 --comment\nhello1           -- version 0000000000000000001 --comment\n```\n\n### Get all keys\n\n``` shellsession\n$ rucredstash keys\nhello\nhellehllobyegood\nhello1\n```\n\n### Delete a specific key\n\n``` shellsession\n$ rucredstash delete hello\nDeleting hello --version 0000000000000000001\n```\n\n### Put a bunch of secrets (putall subcommand)\n\nYou can pass the input from a file using the special symbol `@` to\nindicate that the data is fed from the file:\n\n``` shellsession\n$ bat secrets.json\n───────┬────────────────────────────────────────\n       │ File: secrets.json\n───────┼────────────────────────────────────────\n   1   │ {\n   2   │     \"hello\": \"world\",\n   3   │     \"hi\": \"bye\"\n   4   │ }\n───────┴────────────────────────────────────────\n$ rucredstash putall @secrets.json\nhello has been stored\nhi has been stored\n```\n\nYou can also pass the data via stdin using the special operator `-`:\n\n``` shellsession\n$ rucredstash putall -\n{ \"hello\": \"world\" }\nhello has been stored\n```\n\nNote that the passed data should be in json format. You press the\n[Enter key](https://en.wikipedia.org/wiki/Enter_key \"Enter key\") to\nindicate that you have finished passing the data.\n\nAlso, you can also pass the data directly to it:\n\n``` shellsession\n$ rucredstash putall '{\"hello\":\"world\",\"hi\":\"bye\"}'\nhello has been stored\nhi has been stored\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsibi%2Frucredstash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpsibi%2Frucredstash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsibi%2Frucredstash/lists"}