{"id":41525296,"url":"https://github.com/xiaket/psyml","last_synced_at":"2026-01-23T21:40:14.292Z","repository":{"id":57455375,"uuid":"222206707","full_name":"xiaket/psyml","owner":"xiaket","description":"Less-painful secret management solution based on AWS Parameter Store","archived":false,"fork":false,"pushed_at":"2020-04-05T06:36:30.000Z","size":58,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-09-23T03:36:07.154Z","etag":null,"topics":["aws","parameter-store","python","secret-management"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xiaket.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-17T06:25:13.000Z","updated_at":"2020-04-05T06:36:32.000Z","dependencies_parsed_at":"2022-09-10T00:41:07.626Z","dependency_job_id":null,"html_url":"https://github.com/xiaket/psyml","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/xiaket/psyml","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xiaket%2Fpsyml","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xiaket%2Fpsyml/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xiaket%2Fpsyml/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xiaket%2Fpsyml/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xiaket","download_url":"https://codeload.github.com/xiaket/psyml/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xiaket%2Fpsyml/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28700534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-23T17:25:48.045Z","status":"ssl_error","status_checked_at":"2026-01-23T17:25:47.153Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","parameter-store","python","secret-management"],"created_at":"2026-01-23T21:40:11.162Z","updated_at":"2026-01-23T21:40:14.287Z","avatar_url":"https://github.com/xiaket.png","language":"Python","readme":"# psyml\n\n![build](https://github.com/xiaket/psyml/workflows/build/badge.svg)\n![PyPI version](https://badge.fury.io/py/psyml.svg)\n![Coverage](https://coveralls.io/repos/github/xiaket/psyml/badge.svg)\n![license](https://img.shields.io/pypi/l/psyml)\n\n## The lifecycle of a yml file.\n\nThe user will prepare a yml file that looks like this:\n\n```yaml\npath: /apps/superman/\nregion: us-east-1\nkmskey: alias/superman\n\ntags:\n  cost_center: team17\n  project: superman\n\nparameters:\n  - name: api_version\n    description: The version of the API endpoint, not a secret.\n    type: String\n    value: 2\n\n  - name: api_token\n    description: The token used to communicate with the API endpoint, typically a secret\n    type: SecureString\n    value: 5a5468-786448467a59-326436\n```\n\nNote here all secrets are in plain text. In order to save this into our codebase, we save the file as `superman.nonprod.yml`, login to our AWS account from the commandline, then run:\n\n`psyml encrypt superman.nonprod.yml`\n\nThis will generate a file that looks like this:\n\n```yaml\npath: /apps/superman/\nregion: us-west-1\nkmskey: alias/superman\nencrypted_with: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\n\ntags:\n  cost_center: team17\n  project: superman\n  owner: platform\n\nparameters:\n  - name: api_version\n    description: The version of the API endpoint, not a secret.\n    type: string\n    value: 2\n  - name: api_token\n    description: The token used to communicate with the API endpoint, typically a secret\n    type: securestring\n    value: AQECAHiuImqexTQGWMAtOjKMcH5UIxXuSZ5WSGx3WKO+VsUI3AAAAKIwgZ8GCsqGSIb3DQEHBqCBkTCBjgIBADCBiAyJKoZIhvcNAQcBMB4GCWCGSAFLAwQBLjARBAwT3cwVGtUYHz02irsCARCAW8a4Tp7pL+inl7Je7x1xEr84Q4lN11t3dNFVycpMZALe185DYow4i1GlaJnJnB7g6V1ZaiB+b+Diap/5AuM/K3bjLmcTq0molBnn2TG3r0uj70lP0FSqP+XwQ+8=\n```\n\nNote that we have added an extra field named `encrypted_with`, which is the current id of the KMS key(`alias/psyml`) used to encrypt our secrets. Moreover, the type of the parameter is changed into lowercase characters.\n\nThe maintainance of this yml file should not be too difficult. If we need to add configurations, just add it into the yml file and that's it. If we need to add secrets, add the map into parameters, make sure that the value is in plaintext and the type is `SecureString`. After that, run `psyml encrypt filename.yml` again, this time, psyml will ignore all encrypted parameters and just encrypt the new ones using the keyid in `encrypted_with`. To remove entries, please first remove the relevant entry in parameter store before remove the map in the yml file, not because we have any dependencies, but because it is really easy to forget the cleanup process.\n\n## Keys used in the process\n\nWe devoted a separate section for the use of KMS in this tool, because it indeed could be a bit confusing.\n\nTo be clear, we have used two set of keys, one(`alias/psyml`) is only used for local encryption so that our secrets can be securily saved into our codebase. The other KMS key is specified by the user in `kmskey` field in the yml file, and it is used for actual parameter store encryption. So when we run `psyml encrypt`, we will encrypt the value using `alias/psyml`. When we run `psyml decrypt`, we will still be using `alias/psyml` to decrypt the values. In `psyml save` however, we will first use `alias/psyml` to decrypt the value in memory, then use `kmskey` to do the parameter store upload.\n\nThe key, `alias/psyml` is created in each account and we use this key to encrypt all the secrets in the yaml files. This key will not be used for parameter encryption in ssm. We are not going to create one CMK per region because it is not necessary. The default region for this key is Sydney(`ap-southeast-2`) because we are in Australia, and you can change this behaviour by setting environment variable `PSYML_KEY_REGION` to something like `us-east-2`. If you don't like our alias, you can set that to something else too, using the environment variable `PSYML_KEY_ALIAS`.\n\nIn this tool, when we first run `encrypt` and we don't have that `alias/psyml` key in place, the tool will try to create it for you. Please note that this may fail due to permission issues, and if that's the case, please provision the key and the alias using a more powerful role.\n\n## A short bio of all available actions.\n\ncommandline syntax looks like:\n\n`psyml [action] filename.yml`, where action could be one of:\n\n* `encrypt`: encrypt a yml file with default kms key(`alias/psyml`).\n* `save`: save parameters into parameter store using specified KMS key.\n* `nuke`: remove all the parameter store entries specified in the yml file.\n* `decrypt`: decrypt a yml file and write output to stdout.\n* `refresh`: encrypt a yml file using the current `alias/psyml`.\n* `export`: export all variables bash-like so it can be sourced.\n\n* `diff`: compare parameters in parameter store with local version.\n* `sync`: update parameters in parameter store so it's in sync with yml.\n\n## Known limitations\n\n* Some of the commands(`diff`/`sync`) are not implemented yet.\n* parameter store type `StringList` is not supported yet.\n* We are using the KMS service and please check [the KMS pricing page](https://aws.amazon.com/kms/pricing/) before continue.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxiaket%2Fpsyml","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxiaket%2Fpsyml","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxiaket%2Fpsyml/lists"}