{"id":19269092,"url":"https://github.com/studiowebux/yat-vault","last_synced_at":"2026-05-04T01:31:59.806Z","repository":{"id":157823581,"uuid":"623957670","full_name":"studiowebux/yat-vault","owner":"studiowebux","description":"Secrets Manager","archived":false,"fork":false,"pushed_at":"2023-07-12T22:56:07.000Z","size":141,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-03T04:29:40.675Z","etag":null,"topics":["aws","aws-ssm","cli","dotenv","nodejs","rsa","vault","yaml"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/studiowebux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-05T12:54:26.000Z","updated_at":"2024-10-10T02:36:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"19bd87ee-cded-4dd5-a8a3-25295ea37b78","html_url":"https://github.com/studiowebux/yat-vault","commit_stats":null,"previous_names":["yet-another-tool/yat-vault"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/studiowebux%2Fyat-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/studiowebux%2Fyat-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/studiowebux%2Fyat-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/studiowebux%2Fyat-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/studiowebux","download_url":"https://codeload.github.com/studiowebux/yat-vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240371761,"owners_count":19790888,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-ssm","cli","dotenv","nodejs","rsa","vault","yaml"],"created_at":"2024-11-09T20:18:28.000Z","updated_at":"2026-05-04T01:31:54.787Z","avatar_url":"https://github.com/studiowebux.png","language":"TypeScript","funding_links":["https://www.buymeacoffee.com/studiowebux"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"./docs/vault.png\" alt=\"Project Logo\" width=\"256\"\u003e\n\n\u003ch2\u003eYet Another Tool - Vault\u003c/h2\u003e\n\n\u003cp\u003eA CLI tool to manage application secrets, built with AWS SSM Support.\u003c/p\u003e\n\u003cp\u003eYou can commit you configurations and encrypt your secrets, share the private key through AWS SSM Secure String and more !\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/yet-another-tool/yat-vault/issues\"\u003eReport Bug\u003c/a\u003e\n  ·\n  \u003ca href=\"https://github.com/yet-another-tool/yat-vault/issues\"\u003eRequest Feature\u003c/a\u003e\n\u003c/p\u003e\n\u003c/div\u003e\n\n---\n\n\u003cdetails open=\"open\"\u003e\n  \u003csummary\u003eTable of Contents\u003c/summary\u003e\n  \u003col\u003e\n    \u003cli\u003e\n      \u003ca href=\"#about\"\u003eAbout\u003c/a\u003e\n    \u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\n      \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e\n    \u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#environment-variables\"\u003eEnvironment Variables\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#changelog\"\u003eChangelog\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#license\"\u003eLicense\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#contact\"\u003eContact\u003c/a\u003e\u003c/li\u003e\n  \u003c/ol\u003e\n\u003c/details\u003e\n---\n\n## About\n\n- Generate Key Pair ('RSA')\n- Create Empty secret file using a template\n- Encrypt only your secure parameters\n- Store all your configurations and commit them encrypted\n- Use terminal editor and encrypt the changes automatically\n- Use external editor and encrypt the changes manually\n- Print the decrypted values on your screen\n- Upload your key pair on AWS SSM _(Only AWS SSM is supported for the moment, create a PR for more integrations)_\n- Sync your local configurations to AWS SSM\n- Generate a .env file using your secrets\n- Compatible with your CI, using the environment variables\n- Made with NodeJS 18 and Typescript, built to be extended and improved\n- Support override configurations and default values, it gives flexibility for local and cloud development setup. Provide simple way to standardize and use the same configuration across all machines and environments.\n\n## Installation\n\n```bash\nnpm install -g @yetanothertool/yat-vault\n```\n\n---\n\n## Usage\n\n### Create new Key Pair\n\n```bash\nyat-vault --key-gen --key-name test\n```\n\n\u003e It creates a key pair named:\n\u003e _Private Key:_ `test.key` and _Public Key:_ `test.pub`\n\n#### There is multiple ways to load the keys\n\n**Environment Variables**\n\n```bash\nexport PRIVATE_KEY=$(cat test.key | base64)\nexport PUBLIC_KEY=$(cat test.pub | base64)\n```\n\n_or (Not Recommended)_\n\n```bash\nexport PRIVATE_KEY=$(cat test.key)\nexport PUBLIC_KEY=$(cat test.pub)\n```\n\n**secret file**\n\nUpdate the following keys to use your **local** key pair:\n\n- `_configurations.publicKeyPath`\n- `_configurations.privateKeyPath`\n\nUpdate the following keys to use your **AWS** key pair:\n\n- `_configurations.aws.publicKeyPath`\n  - _This path must be a SSM path_\n- `_configurations.aws.privateKeyPath`\n  - _This path must be a SSM path_\n- `_configurations.aws.awsRegion`\n  - _This region must be the one containing the parameters_\n\n---\n\n### Create new Secret File\n\n```bash\nmkdir vault/\nyat-vault --create --filename ./vault/test\n\n# or to create it in the current directory\nyat-vault --create --filename test\n```\n\n\u003e It generates an empty secret file named `test.yml`\n\n#### The secret file structure\n\n\u003e See the example directory.\n\nThe file is split in two main sections:\n\n- **\\_values**\n- **\\_configurations**\n\nThe **\\_values** section defined your values to save in the vault.  \nThis is an array containing the parameter using this format:\n\n```yaml\n_values:\n  - name: /the/ssm/path/with/the/name/of/your/parameter\n    value: The Value to store or encrypt\n    description: an optional description\n    type: String|SecureString|StringList\n    overwrite: false\n    envName: The environment key to generate the .env file\n```\n\nYou can use a concept of **variables** to dynamically set the **name** of your parameter.  \nTo do so you must define the key/value in the `_configurations.variables` array.\n\n```yaml\n_values:\n  - name: /{tenant}/{project_name}/{stage}/password\n    value: my super password that will be encrypted\n    description: password is safe here\n    type: SecureString\n    overwrite: false\n    envName: The environment key to generate the .env file\n\n_configurations:\n  variables:\n    tenant: wl\n    project_name: yat-vault\n    stage: env:STAGE\n```\n\nThe **variables** array contains the value for each key. They will be automatically replaced when syncing.  \nYou can also use the **environment variables**.  \nYou simply prepend: `env:` followed by the environment name.\n\n**AWS**:\n\nThis object has the `regions` array, it let you deploy quickly using the multi region approach.\nthe variable `{region}` automatically resolves to the current region, this way you can specify the region in the parameter name if needed.\n\n**Variables within values and overrides**:\n\nThis feature must respect a format: `${my_variable:-defaultValue}` or `${my_variable}`. **_Very similar to bash_**\n\nWhere `my_variable` is the name used in your overrides file (See the [Example](example/local.config.json))\nand `defaultValue` is the value to use in case that the override file isn't present or the variable isn't overidden.\n\nThe `:-` it means that the left part is the variable name and the right part the default value. This flag is optional. If not define, there is no default value, thus the variable will stay as-is\n\n_Character allowed:_\n\n- `a-z` and `A-Z`\n- `0-9`\n- `underscores ( _ )`\n- I didn't test other characters. I know that _dashes ( - ) WON'T WORK_.\n\nThe goal of this feature is to let developers configure their local environment quickly and easily and still use the same configuration that the cloud (or deployed) infrastructure has. This way the setup is self documented and the configuration follows everywhere.\n\n---\n\n### Edit Secret File\n\n```bash\nyat-vault --edit --filename test.yml\n```\n\nIt opens `vi` to let you update your configuration, once you save the file, it automatically encrypt the new values.\n\n\u003e As of V0.0.0, it doesn't refresh/encrypt everything if you change the key pair.\n\u003e DON'T change the key pair. You will get a weird behaviour.\n\n---\n\n### Print Secret File Values\n\n\u003e **Be careful, this command expose all your secrets on your terminal !**\n\n```bash\nyat-vault --print --filename test.yml --overrides config.local.json\n```\n\nIt decrypts and prints all values on your screen.  \nThe `--overrides filename.json` let you use the variables see above for more details\n\n---\n\n### Encrypt Secret File\n\nYou don't have `vi`; You don't like `vi`; No problem.  \nThis command encrypt your file.\n\n```bash\nyat-vault --encrypt --filename test.yml\n```\n\n---\n\n### Upload your Key pair\n\nThis command saves your key pair in AWS, using the configuration defined in the secret file.\nYou must specify an AWS region (Currently, only AWS is supported)\n\n```bash\nyat-vault --upload --filename test.yml --region ca-central-1 --provider aws\n```\n\nThis way your CI, developers and etc can use the secrets without sharing the password.\n\n\u003e If you setup a passphrase, you will have to share it for now.\n\n---\n\n### Sync Your local secrets to your provider\n\nTo sync your local values to the cloud\n\n```bash\nyat-vault --sync --filename test.yml\n```\n\nThe `overwrite` option determines if you can overwrite the values in SSM.  \nThis command is verbose to let you know what is going on.\n\n---\n\n### Generate .env file\n\n```bash\nyat-vault --dotenv --filename test.yml --env .env.test --overrides config.local.json\n```\n\nThe `envName` in the secret file, determines the **Key** of your parameter.  \nThe `--overrides filename.json` let you use the variables see above for more details\n\n### Values and Variables - Overrides and Defaults\n\nThe simplest way to explain that feature is to look this example:\n\n- [config.local.json](example/local.config.json)\n- [vault.urls.yml](example/vault.urls.yml)\n\nThen these commands:\n\n```bash\nyat-vault --print --filename example/vault.urls.yml --overrides example/local.config.json\nyat-vault --print --filename example/vault.urls.yml\nyat-vault --dotenv --filename example/vault.urls.yml --overrides example/local.config.json --env example/.env.local\ncat example/.env.local\nyat-vault --dotenv --filename example/vault.urls.yml --env example/.env.local\ncat example/.env.local\n```\n\nIt allows you to specify varibales with optional default values. Then you can define a JSON to set the values.\nFor more details [Create new Secret File](#create-new-secret-file)\n\n---\n\n## Environment Variables\n\n| Name           | Description                                                         |\n| -------------- | ------------------------------------------------------------------- |\n| EDITOR         | Change the default editor ('vi')                                    |\n| DEBUG          | Print Error Stack Trace                                             |\n| PASSPHRASE     | Non interactive passphrase (CI)                                     |\n| PRIVATE_KEY    | Non interactive Private Key (CI)                                    |\n| PUBLIC_KEY     | Non interactive Public Key (CI)                                     |\n| FILENAME       | Equivalent to --file-name                                           |\n| KEYNAME        | Equivalent to --key-name                                            |\n| PROVIDER       | Equivalent to --provider                                            |\n| REGION         | Equivalent to --region                                              |\n| ENV_FILENAME   | Equivalent to --env                                                 |\n| WITHOUT_QUOTES | Remove double quotes around values for .env files                   |\n| NO_TTY         | Skip Asking passphrase on terminal (only value `true` is supported) |\n\n---\n\n## Changelog\n\nThe [TODO](./TODO)\n\n### V1.2.3 - Beta - 2023-07-12\n\n- Added concept of local variables (`--dotenv`) (to define environment variables only), this way it setup the local machine and skip the sync process while syncing with SSM (the `--sync` command).\n\n\u003cdetails\u003e\n  \u003csummary\u003eV1.2.2 - Alpha - 2023-05-10\u003c/summary\u003e\n\n- Tested default behaviour for overrides and defaults values\n- Add special characters in the regex\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e### V1.2.1 - Alpha - 2023-05-03\u003c/summary\u003e\n\n- Improved CLI Output (Colors, status, messages, error handling)\n- Improve AWS Interactions and error handling when syncing values to AWS\n- Fixed issue when trying to update keys already stored in SSM.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e### V1.1.0 - Alpha - 2023-04-26\u003c/summary\u003e\n\n- Added new feature\n- you can specify variables within the values and load a JSON file to replace those values, plus you can specify default values\n- Documentation for the new feature\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e### V1.0.5 \u0026 V1.0.6 - Alpha - 2023-04-26\u003c/summary\u003e\n\n- Improved passphrase handling\n- Bug fixed regarding the passphrase\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e### V1.0.4 - Alpha - 2023-04-08\u003c/summary\u003e\n\n- AWS Configuration is optional\n- Bug fixes\n\u003c/details\u003e\n\u003cdetails\u003e\n  \u003csummary\u003e### V1.0.3 - Alpha - 2023-04-08\u003c/summary\u003e\n\n- Added new feature, generate .env file\n- Changed default values for aws ssm\n- Updated Documentation\n- Added print help\n- Fixes and Improvements\n\u003c/details\u003e\n\u003cdetails\u003e\n  \u003csummary\u003e### V1.0.2 - Alpha - 2023-04-07\u003c/summary\u003e\n\n- Reviewed Documentation\n\u003c/details\u003e\n\u003cdetails\u003e\n  \u003csummary\u003e### V1.0.1 - Alpha - 2023-04-07\u003c/summary\u003e\n\n- First requirements implemented\n- Deployed to npmjs\n\u003c/details\u003e\n\n---\n\n## Contributing\n\n1. Create a Feature Branch\n2. Commit your changes\n3. Push your changes\n4. Create a PR\n\n\u003cdetails\u003e\n\u003csummary\u003eWorking with your local branch\u003c/summary\u003e\n\n**Branch Checkout:**\n\n```bash\ngit checkout -b \u003cfeature|fix|release|chore|hotfix\u003e/prefix-name\n```\n\n\u003e Your branch name must starts with [feature|fix|release|chore|hotfix] and use a / before the name;\n\u003e Use hyphens as separator;\n\u003e The prefix correspond to your Kanban tool id (e.g. abc-123)\n\n**Keep your branch synced:**\n\n```bash\ngit fetch origin\ngit rebase origin/master\n```\n\n**Commit your changes:**\n\n```bash\ngit add .\ngit commit -m \"\u003cfeat|ci|test|docs|build|chore|style|refactor|perf|BREAKING CHANGE\u003e: commit message\"\n```\n\n\u003e Follow this convention commitlint for your commit message structure\n\n**Push your changes:**\n\n```bash\ngit push origin \u003cfeature|fix|release|chore|hotfix\u003e/prefix-name\n```\n\n**Examples:**\n\n```bash\ngit checkout -b release/v1.15.5\ngit checkout -b feature/abc-123-something-awesome\ngit checkout -b hotfix/abc-432-something-bad-to-fix\n```\n\n```bash\ngit commit -m \"docs: added awesome documentation\"\ngit commit -m \"feat: added new feature\"\ngit commit -m \"test: added tests\"\n```\n\n\u003c/details\u003e\n\n### Local Development\n\n```bash\nnpm install\nnpm run build\n```\n\n## License\n\nDistributed under the MIT License. See LICENSE for more information.\n\n## Contact\n\n- Tommy Gingras @ tommy@studiowebux.com | Studio Webux\n\n\u003cdiv\u003e\n\u003cb\u003e | \u003c/b\u003e\n\u003ca href=\"https://www.buymeacoffee.com/studiowebux\" target=\"_blank\"\n      \u003e\u003cimg\n        src=\"https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png\"\n        alt=\"Buy Me A Coffee\"\n        style=\"height: 30px !important; width: 105px !important\"\n/\u003e\u003c/a\u003e\n\u003cb\u003e | \u003c/b\u003e\n\u003ca href=\"https://webuxlab.com\" target=\"_blank\"\n      \u003e\u003cimg\n        src=\"https://webuxlab-static.s3.ca-central-1.amazonaws.com/logoAmpoule.svg\"\n        alt=\"Webux Logo\"\n        style=\"height: 30px !important\"\n/\u003e Webux Lab\u003c/a\u003e\n\u003cb\u003e | \u003c/b\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstudiowebux%2Fyat-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstudiowebux%2Fyat-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstudiowebux%2Fyat-vault/lists"}