{"id":13472123,"url":"https://github.com/segmentio/chamber","last_synced_at":"2026-02-07T01:01:25.401Z","repository":{"id":37664712,"uuid":"93906782","full_name":"segmentio/chamber","owner":"segmentio","description":"CLI for managing secrets","archived":false,"fork":false,"pushed_at":"2025-11-24T09:26:11.000Z","size":2387,"stargazers_count":2563,"open_issues_count":32,"forks_count":177,"subscribers_count":21,"default_branch":"master","last_synced_at":"2025-12-09T23:59:19.393Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/segmentio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-06-10T00:43:50.000Z","updated_at":"2025-12-09T23:34:05.000Z","dependencies_parsed_at":"2024-03-07T19:48:45.171Z","dependency_job_id":"70e2cccd-0954-48fd-991e-6fa9b0bfa0fc","html_url":"https://github.com/segmentio/chamber","commit_stats":{"total_commits":262,"total_committers":83,"mean_commits":"3.1566265060240966","dds":0.8206106870229007,"last_synced_commit":"b4e159080ed8a8757e6cbda1be83535b7db35834"},"previous_names":[],"tags_count":93,"template":false,"template_full_name":null,"purl":"pkg:github/segmentio/chamber","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/segmentio%2Fchamber","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/segmentio%2Fchamber/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/segmentio%2Fchamber/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/segmentio%2Fchamber/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/segmentio","download_url":"https://codeload.github.com/segmentio/chamber/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/segmentio%2Fchamber/sbom","scorecard":{"id":809879,"data":{"date":"2025-08-11","repo":{"name":"github.com/segmentio/chamber","commit":"7c8de43068d41125dae1abdd200cb298aa2197b3"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.5,"checks":[{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:33","Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/segmentio/chamber/release.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Info:   0 out of  17 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v3.1.3 not signed: https://api.github.com/repos/segmentio/chamber/releases/234713561","Warn: release artifact v3.1.2 not signed: https://api.github.com/repos/segmentio/chamber/releases/213973693","Warn: release artifact v3.1.1 not signed: https://api.github.com/repos/segmentio/chamber/releases/190054717","Warn: release artifact v3.1.0 not signed: https://api.github.com/repos/segmentio/chamber/releases/171145946","Warn: release artifact v3.0.1 not signed: https://api.github.com/repos/segmentio/chamber/releases/170026294","Warn: release artifact v3.1.3 does not have provenance: https://api.github.com/repos/segmentio/chamber/releases/234713561","Warn: release artifact v3.1.2 does not have provenance: https://api.github.com/repos/segmentio/chamber/releases/213973693","Warn: release artifact v3.1.1 does not have provenance: https://api.github.com/repos/segmentio/chamber/releases/190054717","Warn: release artifact v3.1.0 does not have provenance: https://api.github.com/repos/segmentio/chamber/releases/171145946","Warn: release artifact v3.0.1 does not have provenance: https://api.github.com/repos/segmentio/chamber/releases/170026294"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":4,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'master'","Info: 'force pushes' disabled on branch 'master'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'master'","Info: 'stale review dismissal' is required to merge on branch 'master'","Warn: required approving review count is 1 on branch 'master'","Info: codeowner review is required on branch 'master'","Warn: 'last push approval' is disabled on branch 'master'","Warn: 'up-to-date branches' is disabled on branch 'master'","Info: status check found to merge onto on branch 'master'","Info: PRs are required in order to make changes on branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T12:49:44.354Z","repository_id":37664712,"created_at":"2025-08-23T12:49:44.354Z","updated_at":"2025-08-23T12:49:44.354Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29183273,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-07T00:44:15.062Z","status":"ssl_error","status_checked_at":"2026-02-07T00:35:01.758Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T16:00:52.086Z","updated_at":"2026-02-07T01:01:25.316Z","avatar_url":"https://github.com/segmentio.png","language":"Go","readme":"# Chamber\n\nChamber is a tool for managing secrets. Currently it does so by storing\nsecrets in SSM Parameter Store, an AWS service for storing secrets.\n\nFor detailed info about using chamber, please read\n[The Right Way To Manage Secrets](https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/)\n\n## v3.0 Breaking Changes\n\n* **Use of the SSM Parameter Store's path-based API is now required.** Support\n  added in v2.0 to avoid it has been removed. The `CHAMBER_NO_PATHS` environment\n  variable no longer has any effect. You must migrate to the new storage format\n  using the instructions below, using a 2.x version of chamber.\n* **The `--min-throttle-delay` option no longer has any effect.** Support for\n  specifying a minimum throttle delay has been removed from the underlying AWS\n  SDK with no direct replacement. Instead, set the new `--retry-mode` option to\n  \"adaptive\" to use an experimental model that accounts for throttling errors.\n* **Context arguments are required for `Store` methods.** This is a consequence\n  of migrating to a new AWS SDK. This change has no effect for CLI users, but\n  those using chamber as a library must update their code to pass contexts.\n* **The deprecated `NewS3Store` constructor has been removed.** Use\n  `NewS3StoreWithBucket` instead.\n\n## v2.0 Breaking Changes\n\nStarting with version 2.0, chamber uses parameter store's path based API by default.\nChamber pre-2.0 supported this API using the `CHAMBER_USE_PATHS` environment variable.\nThe paths based API has performance benefits and is the recommended best practice\nby AWS.\n\nAs a side effect of this change, if you didn't use path based secrets before 2.0,\nyou will need to set `CHAMBER_NO_PATHS` to enable the old behavior. This option\nis deprecated, and We recommend only using this setting for supporting existing\napplications.\n\nTo migrate to the new format, you can take advantage of the `export` and `import`\ncommands. For example, if you wanted to convert secrets for service `foo` to the\nnew format using chamber 2.0, you can do:\n\n```bash\nCHAMBER_NO_PATHS=1 chamber export foo | chamber import foo -\n```\n\n### v2.13.0 Breaking Changes\n\nSupport for very old versions of Go has been dropped, and chamber will only test\nagainst versions of Go covered by the Go Release Policy, e.g. the two most recent\nmajor versions. This will ensure that we can reliably update dependencies as needed.\nAdditionally, chamber binaries will be built with the latest stable version of Go\nat the time of release.\n\n## Installing\n\nIf you have a functional go environment, you can install with:\n\n```bash\ngo install github.com/segmentio/chamber/v3@latest\n```\n\n### Caveat About `chamber version` and `go install`\n\nNote that installing with `go install` will not produce an executable containing\nany versioning information. This information is passed at compilation time when\nthe `Makefile` is used for compilation. Without this information, `chamber version`\noutputs the following:\n\n```text\n$ chamber version\nchamber dev\n```\n\n[See the wiki for more installation options like Docker images, Linux packages, and precompiled binaries.](https://github.com/segmentio/chamber/wiki/Installation)\n\n## Authenticating\n\nUsing `chamber` requires you to be running in an environment with an\nauthenticated AWS user which has the appropriate permission to read/write\nvalues to SSM Parameter Store.\n\nThis is going to vary based on your organization but chamber needs AWS credentials\nto run.\n\nOne of the easiest ways to do so is by using [aws-vault](https://github.com/99designs/aws-vault).\nTo adjust these instructions for your needs, examine the env output of\n[Aws-Vault: How It Works](https://github.com/99designs/aws-vault#how-it-works)\nand use your organization's secrets tool accordingly with chamber.\n\n### An `aws-vault` Usage Example With Chamber\n\n```bash\naws-vault exec prod -- chamber\n```\n\nFor this reason, it is recommended that you create an alias in your shell of\nchoice to save yourself some typing, for example (from my `.zshrc`):\n\n```bash\nalias chamberprod='aws-vault exec production -- chamber'\n```\n\n## Setting Up KMS\n\nChamber expects to find a KMS key with alias `parameter_store_key` in the\naccount that you are writing/reading secrets. You can follow the [AWS KMS\ndocumentation](http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)\nto create your key, and [follow this guide to set up your\nalias](http://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html).\n\nIf you are a [Terraform](https://www.terraform.io/) user, you can create your\nkey with the following:\n\n```HCL\nresource \"aws_kms_key\" \"parameter_store\" {\n  description             = \"Parameter store kms master key\"\n  deletion_window_in_days = 10\n  enable_key_rotation     = true\n}\n\nresource \"aws_kms_alias\" \"parameter_store_alias\" {\n  name          = \"alias/parameter_store_key\"\n  target_key_id = \"${aws_kms_key.parameter_store.id}\"\n}\n```\n\nIf you'd like to use an alternate KMS key to encrypt your secrets, you can set\nthe environment variable `CHAMBER_KMS_KEY_ALIAS`. As an example, the following\nwill use your account's default SSM alias:\n`CHAMBER_KMS_KEY_ALIAS=aws/ssm`\n\n## Usage\n\n### Writing Secrets\n\n```bash\n$ chamber write \u003cservice\u003e \u003ckey\u003e \u003cvalue|-\u003e\n```\n\nThis operation will write a secret into the secret store. If a secret with that\nkey already exists, it will increment the version and store a new value.\n\nIf `-` is provided as the value argument, the value will be read from standard\ninput.\n\nSecret keys are normalized automatically. The `-` will be `_` and the letters will\nbe converted to upper case (for example a secret with key `secret_key` and\n`secret-key` will become `SECRET_KEY`).\n\n#### Reserved Service Names\n\nStarting with version 3.0, the service name \"_chamber\" is reserved for chamber's\ninternal use. You will be warned when using the service for any chamber operation.\n\n#### Tagging on Write\n\n```bash\n$ chamber write \u003cservice\u003e \u003ckey\u003e \u003cvalue\u003e --tags key1=value1,key2=value2\n```\n\nThis operation will write a secret into the secret store with the specified tags.\nTagging on write is only available for new secrets.\n\n### Tagging Secrets\n\n```bash\n$ chamber tag write \u003cservice\u003e \u003ckey\u003e tag1=value1 tag2=value2\nKey Value\ntag1  value1\ntag2  value2\n$ chamber tag read \u003cservice\u003e \u003ckey\u003e\nKey Value\ntag1  value1\ntag2  value2\n$ chamber tag delete \u003cservice\u003e \u003ckey\u003e tag1\n$ chamber tag read \u003cservice\u003e \u003ckey\u003e\nKey Value\ntag2  value2\n```\n\nWriting tags normally leaves other tags intact. If you want to replace all tags\nwith the new ones, use `--delete-other-tags` flag. _Note: The option may change\nbefore the next major release._\n\n```bash\n$ chamber tag write --delete-other-tags \u003cservice\u003e \u003ckey\u003e tag1=value1\nKey Value\ntag1  value1\n```\n\n### Listing Secrets\n\n```bash\n$ chamber list service\nKey         Version                  LastModified      User\napikey      2                        06-09 17:30:56    daniel-fuentes\nother       1                        06-09 17:30:34    daniel-fuentes\n```\n\nListing secrets should show the key names for a given service, along with other\nuseful metadata including when the secret was last modified, who modified it,\nand what the current version is.\n\n```bash\n$ chamber list -e service\nKey         Version                  LastModified      User             Value\napikey      2                        06-09 17:30:56    daniel-fuentes   apikeyvalue\nother       1                        06-09 17:30:34    daniel-fuentes   othervalue\n```\n\nListing secrets with expand parameter should show the key names and values for a\ngiven service, along with other useful metadata including when the secret was\nlast modified, who modified it, and what the current version is.\n\n### Historic view\n\n```bash\n$ chamber history service key\nEvent       Version     Date            User\nCreated     1           06-09 17:30:19  daniel-fuentes\nUpdated     2           06-09 17:30:56  daniel-fuentes\n```\n\nThe `history` command gives a historical view of a given secret. This view is\nuseful for auditing changes, and can point you toward the user who made the\nchange so it's easier to find out why changes were made.\n\n### Exec\n\n```bash\n$ chamber exec \u003cservice...\u003e -- \u003cyour executable\u003e\n```\n\n`exec` populates the environment with the secrets from the specified services\nand executes the given command. Secret keys are converted to upper case (for\nexample a secret with key `secret_key` will become `SECRET_KEY`).\n\nSecrets from services are loaded in the order specified in the command. For\nexample, if you do `chamber exec app apptwo -- ...` and both apps have a secret\nnamed `api_key`, the `api_key` from `apptwo` will be the one set in your\nenvironment.\n\n### Reading\n\n```bash\n$ chamber read service key\nKey             Value                           Version         LastModified    User\nkey             secret                          1               06-09 17:30:56  daniel-fuentes\n```\n\n`read` provides the ability to print out the value of a single secret, as well\nas the secret's additional metadata. It does not provide the ability to print\nout multiple secrets in order to discourage accessing extra secret material\nthat is unneeded. Parameter store automatically versions secrets and passing\nthe `--version/-v` flag to read can print older versions of the secret. Default\nversion (-1) is the latest secret.\n\n### Exporting\n\n```bash\n$ chamber export [--format \u003cformat\u003e] [--output-file \u003cfile\u003e]  \u003cservice...\u003e\n{\"key\":\"secret\"}\n```\n\n`export` provides ability to export secrets in various file formats. The following\nfile formats are supported:\n\n- json (default)\n- yaml\n- java-properties\n- csv\n- tsv\n- dotenv\n- tfvars\n\nFile is written to standard output by default but you may specify an output file.\n\n### Caveat About Environment Variables\n\n`chamber` can emit environment variables in both dotenv format and exported shell\nenvironment variables. As `chamber` allows creating key names that are themselves\nnot valid shell variable names, secrets emitted in this format will have their\nkeys modified to confirm to POSIX shell environment variable naming rules:\n\n- variable names **must** begin with a letter or an underscore\n  - variable names **must not** begin with a number\n- variable names **must** only contain letters, numbers, or underscores\n\n#### Notes About Dotenv Format\n\nAs there is no formal dotenv spec, `chamber` attempts to\nadhere to compliance with [joho/godotenv](https://github.com/joho/godotenv) (which\nis itself a port of the Ruby library\n[bkeepers/dotenv](https://github.com/bkeepers/dotenv)). The output should be generally\ncross-compatible with alternative parsers, but without a formal spec compatibility\nis not guaranteed.\n\nOf note:\n\n- all key names will be sanitized according the the POSIX shell rules above, and\ncast to uppercase\n- all values will be rendered using special characters instead of string literals,\n  e.g. newlines replaced with the character `\\n`, tabstops replaced with the character\n  `\\t`, etc.\n  - no whitespace trimming will be performed on any values\n\n#### Notes About Exported Environment Variables\n\nAlternatively, `chamber` may be used to set local environment variables directly\nwith the `chamber env` command. For example,\n\n```shell\nsource \u003c(chamber env service)`\nprintf \"%s\" \"$SERVICE_VAR\"\n```\n\nNote that all secrets printed this way will be prefixed with `export`, so if sourced\ninline as in the above example, then any and all secrets will then be available\nto any process run after sourcing.\n\nthe `env` subcommand supports output formatting in two specific ways:\n\n```text\nchamber env -h\nPrint the secrets from the parameter store in a format to export as environment variables\n\nUsage:\n  chamber env \u003cservice\u003e [flags]\n\nFlags:\n  -p, --preserve-case    preserve variable name case\n  -e, --escape-strings   escape special characters in values\n```\n\nAs `chamber` allows creation of keys with mixed case, `--preserve-case` will ensure\nthat the original key case is preserved. Note that this will **not** prevent the\nkey name from being sanitized according to the above POSIX shell rules.\nBy default, values will be rendered using string literals, e.g. newlines will\nbe printed as literal newlines, tabstops as literal tabstops. Output may be\nemitted using escaped special characters instead (identical to\n`chamber export -o dotenv)`) by using the flag `--escape-strings`.\n\n### Importing\n\n```bash\n$ chamber import [--normalize-keys] \u003cservice\u003e \u003cfilepath\u003e\n```\n\n`import` provides the ability to import secrets from a json or yaml file (like\nthe kind you get from `chamber export`).\n\n\u003c!-- prettier-ignore --\u003e\n\u003e __Note__\n\u003e By default, `import` will **not** normalize key inputs, meaning that keys will\n\u003e be written to the secrets backend in the format they exist in the source file.\n\u003e In order to normalize keys on import, provide the `--normalize-keys` flag\n\nWhen normalizing keys, before write, the key will be be first converted to lowercase\nto match how `chamber write` handles keys.\n\nExample: `DB_HOST` will be converted to `db_host`.\n\nYou can set `filepath` to `-` to instead read input from stdin.\n\n### Deleting\n\n```bash\n$ chamber delete [--exact-key] service key\n```\n\n`delete` provides the ability to remove a secret from chamber permanently,\nincluding the secret's additional metadata. There is no way to recover a\nsecret once it has been deleted so care should be taken with this command.\n\n\u003c!-- prettier-ignore --\u003e\n\u003e __Note__\n\u003e By default, `delete` will normalize any provided keys. To change that behavior,\n\u003e provide the `--exact-key` flag to attempt to delete the raw provided key.\n\nExample: Given the following setup,\n\n```bash\n$ chamber list service\nKey         Version                  LastModified      User\napikey      2                        06-09 17:30:56    daniel-fuentes\nAPIKEY      1                        06-09 17:30:34    daniel-fuentes\n```\n\nCalling\n\n```bash\n$ chamber delete --exact-key service APIKEY\n```\n\nwill delete only `APIKEY` from the service and leave only\n\n```bash\n$ chamber list service\nKey         Version                  LastModified      User\napikey      2                        06-09 17:30:56    daniel-fuentes\n```\n\n### Finding\n\n```bash\n$ chamber find key\n```\n\n`find` provides the ability to locate which services use the same key names.\n\n```bash\n$ chamber find value --by-value\n```\n\nPassing `--by-value` or `-v` will search the values of all secrets and return\nthe services and keys which match.\n\n### Listing Services\n\n```bash\n$ chamber list-services [\u003cprefix\u003e]\n```\n\n`list-services` lists the available services. You can provide a prefix to limit\nthe results.\n\n### AWS Region\n\nChamber uses [AWS SDK for Go](https://github.com/aws/aws-sdk-go). To use a\nregion other than what is specified in `$HOME/.aws/config`, set the environment\nvariable \"AWS_REGION\".\n\n```bash\n$ AWS_REGION=us-west-2 chamber list service\nKey         Version                  LastModified      User\napikey      3                        07-10 09:30:41    daniel-fuentes\nother       1                        07-10 09:30:35    daniel-fuentes\n```\n\nChamber does not currently read the value of \"AWS_DEFAULT_REGION\". See\n[https://github.com/aws/aws-sdk-go#configuring-aws-region](https://github.com/aws/aws-sdk-go#configuring-aws-region)\nfor more details.\n\nIf you'd like to use a different region for chamber without changing `AWS_REGION`,\nyou can use `CHAMBER_AWS_REGION` to override just for chamber.\n\n### Custom SSM Endpoint\n\nIf you'd like to use a custom SSM endpoint for chamber, you can use `CHAMBER_AWS_SSM_ENDPOINT`\nto override the default URL.\n\n## AWS Secrets Manager\nChamber supports AWS Secrets Manager as an optional backend. For example:\n\n```\nchamber -b secretsmanager write myservice foo fah\nchamber -b secretsmanager write myservice foo2 fah2\n```\n\n### Custom Secrets Manager Endpoint\n\nIf you'd like to use a custom Secrets Manager endpoint for chamber, you can use\n`CHAMBER_AWS_SECRETS_MANAGER_ENDPOINT` to override the default URL.\n\n\u003e [!WARNING]\n\u003e Prior to v3.0.0, the endpoint could also be overridden with `CHAMBER_AWS_SSM_ENDPOINT`. This\n\u003e has been deprecated and will stop working in a future chamber release. Please use\n\u003e `CHAMBER_AWS_SECRETS_MANAGER_ENDPOINT` instead.\n\n## S3 Backend (Experimental)\n\nBy default, chamber store secrets in AWS Parameter Store. We now also provide an\nexperimental S3 backend for storing secrets in S3 instead.\n\nTo configure chamber to use the S3 backend, use `chamber -b s3 --backend-s3-bucket=mybucket`.\nPreferably, this bucket should reject uploads that do not set the server side\nencryption header ([see this doc for details how](https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/))\n\nThis feature is experimental, and not currently meant for production work.\n\n### S3 Backend using KMS Key Encryption (Experimental)\n\nThis backend is similar to the S3 Backend but uses KMS Key Encryption to encrypt\nyour documents at rest, similar to the SSM Backend which encrypts your secrets\nat rest. You can read how S3 Encrypts documents with KMS [here](https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html).\n\nThe highlights of SSE-KMS are:\n\n- You can choose to create and manage encryption keys yourself, or you can choose\n  to use your default service key uniquely generated on a customer by service by\n  region level.\n- The ETag in the response is not the MD5 of the object data.\n- The data keys used to encrypt your data are also encrypted and stored alongside\n  the data they protect.\n- Auditable master keys can be created, rotated, and disabled from the AWS KMS console.\n- The security controls in AWS KMS can help you meet encryption-related compliance\n  requirements.\n\nSource: [Protecting data using server-side encryption with AWS Key Management Service keys (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html)\n\nTo configure chamber to use the S3 KMS backend, use\n`chamber -b s3-kms --backend-s3-bucket=mybucket --kms-key-alias=alias/keyname`.\nYou must also supply an environment variable of the KMS Key Alias to use\nCHAMBER_KMS_KEY_ALIAS, by default \"alias/parameter_store_key\"\nwill be used.\n\nPreferably, this bucket should reject uploads that do not set the server side\nencryption header ([see this doc for details how](https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/))\n\nWhen changing secrets between KMS Keys, you must first delete the Chamber secret\nwith the existing KMS Key, then write it again with new KMS Key.\n\nIf services contain multiple KMS Keys, `chamber list` and `chamber exec` will only\nshow Chamber secrets encrypted with KMS Keys you have access to.\n\nThis feature is experimental, and not currently meant for production work.\n\n## Null Backend (Experimental)\n\nIf it's preferred to not use any backend at all, use `chamber -b null`. Doing so\nwill forward existing ENV variables as if Chamber is not in between.\n\nThis feature is experimental, and not currently meant for production work.\n\n## Analytics\n\n`chamber` includes some usage analytics code which Segment uses internally for\ntracking usage of internal tools. This analytics code is turned off by default,\nand can only be enabled via a linker flag at build time, which we do not set for\npublic github releases.\n\n## Releasing\n\nTo cut a new release, just push a tag named `v\u003csemver\u003e` where `\u003csemver\u003e` is a\nvalid semver version. This tag will be used by Github Actions to automatically publish\na github release.\n\n---\n\n\u003cdiv align=\"center\"\u003e\nTHE CHAMBER OF SECRETS HAS BEEN OPENED\n\u003c/div\u003e\n","funding_links":[],"categories":["Go","Datastores","Secrets management","Infrastructure","others"],"sub_categories":["Online resources","Regex","Amazon Web Services"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsegmentio%2Fchamber","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsegmentio%2Fchamber","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsegmentio%2Fchamber/lists"}