https://github.com/joelvoss/skm-lit

skm-lit is a library for retrieving secrets stored in Cloud Storage
https://github.com/joelvoss/skm-lit

bucket cloud-sdk cloud-storage-bucket gcp google-cloud google-cloud-platform google-cloud-storage retrieving-secrets-stored secret

Last synced: 2 months ago
JSON representation

skm-lit is a library for retrieving secrets stored in Cloud Storage

• Host: GitHub
• URL: https://github.com/joelvoss/skm-lit
• Owner: joelvoss
• License: mit
• Created: 2019-12-08T14:07:29.000Z (about 5 years ago)
• Default Branch: main
• Last Pushed: 2024-10-11T14:44:41.000Z (3 months ago)
• Last Synced: 2024-11-07T08:51:42.706Z (3 months ago)
• Topics: bucket, cloud-sdk, cloud-storage-bucket, gcp, google-cloud, google-cloud-platform, google-cloud-storage, retrieving-secrets-stored, secret
• Language: TypeScript
• Homepage:
• Size: 3.01 MB
• Stars: 2
• Watchers: 3
• Forks: 0
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# skm-lit

**skm-lit** _(secret key manager)_ is a library for retrieving secrets stored

in a Cloud Storage bucket.

> Watch out: This library is Node.js only!

## Installation

```bash

npm install skm-lit

```

## Usage

Require **skm-lit** as early as possible:

```js

require(`skm-lit`);

```

Next, define an environment variable that references your secret stored in

a Google Storage bucket using **skm-lit's** special URL syntax.

Consult the [reference syntax](#reference-syntax) section for details.

```bash

# inside .env

MY_SECRET:skm-lit://mybucket/my-secret

```

After that you can access your secret through the corresponding environment

variable. In this case `MY_SECRET`.

## Setup a Cloud Storage bucket

This section describes the steps required to create a Cloud Storage bucket

manually and setting up the correct permissions.

> This is not required on order to use **skm-lit**. If you already have a

> Cloud Storage bucket provisioned, you can skip this section.

1. Install the [Google Cloud SDK][cloud-sdk]. If you are running from your local

   machine, you also need to set _Default Application Credentials_:

   ```bash

   gcloud auth application-default login

   ```

   This will open a web browser and prompt for a login to your Google account.

   After a successful login, the gcloud SDK has set your user account

   as the Default Application Credentials for your machine.

   To revoke the credentials, run `gcloud auth application-default revoke`.

2. Export your project ID as an environment variable. The rest of this setup

   guide assumes this environment variable is set:

   ```bash

   export PROJECT_ID=my-gcp-project-id

   ```

   Please note, this is the project _ID_, not the project _name_ or project

   _number_. You can find the project ID by running `gcloud projects list` or

   in the web UI.

3. Enable required services on the project:

   ```bash

   gcloud services enable --project ${PROJECT_ID} \

     storage-api.googleapis.com \

     storage-component.googleapis.com

   ```

4. Create a [Cloud Storage][cloud-storage] bucket for storing secrets:

   ```bash

   export BUCKET_ID=my-secrets

   ```

   Replace `my-secrets` with the name of your bucket. Bucket names must be

   globally unique across all of Google Cloud. You can also create a bucket

   using the Google Cloud Console from the web.

   ```bash

   gsutil mb -c standard -l europe-west3 -p ${PROJECT_ID} \

     gs://${BUCKET_ID}

   ```

   > It is strongly recommended that you create a new bucket instead of using

   > an existing one. **skm-lit** should be the only entity managing IAM

   > permissions on the bucket.

5. Set the default ACL permissions on the bucket to private:

   ```bash

   gsutil defacl set private gs://${BUCKET_ID}

   ```

   ```bash

   gsutil acl set private gs://${BUCKET_ID}

   ```

   The default permissions grant anyone with Owner/Editor access on the project

   access to the bucket and its objects. These commands restrict access to the

   bucket to project owners and access to bucket objects to only their owner.

   Everyone else must be granted explicit access via IAM to an object inside

   the bucket.

## Reference Syntax

This section describes the syntax for referencing a secret entity. These

references will live in environment variables and **skm-lit** will parse

them on library startup.

### Syntax

```text

skm-lit://[BUCKET]/[SECRET]?[OPTIONS]

```

- `BUCKET` - name of the Cloud Storage bucket where the secret is stored

- `SECRET` - name of the secret in the Cloud Storage bucket

- `OPTIONS` - options specified as URL query parameters

### Options

- `destination` - when specified as a URL query parameter, this controls how the

  secret is resolved:

  - `tempfile` - resolve the secret and write the contents to a tempfile,

    replacing the environment variable with the path to the tempfile

  - `[PATH]` - resolve the secret and write the contents to the specified file

    path

### Examples

Read a secret:

```text

skm-lit://my-bucket/my-secret

```

Read a secret into a tempfile:

```text

skm-lit://my-bucket/path/to/my-secret?destination=tempfile

```

Read a secret into `[project-root]/path/to/file` relative to the project root:

```text

skm-lit://my-bucket/path/to/my-secret?destination=path/to/file

```

Read a secret into `/path/to/file` absolute to the filesystem:

```text

skm-lit://my-bucket/path/to/my-secret?destination=/path/to/file

```

---

[cloud-sdk]: https://cloud.google.com/sdk