https://github.com/klarna-incubator/fastlane-plugin-secrets_manager_storage

A Fastlane plugin to enable securely storing your app's signing keys in AWS Secrets Manager
https://github.com/klarna-incubator/fastlane-plugin-secrets_manager_storage

fastlane-ios fastlane-plugin

Last synced: 4 months ago
JSON representation

A Fastlane plugin to enable securely storing your app's signing keys in AWS Secrets Manager

• Host: GitHub
• URL: https://github.com/klarna-incubator/fastlane-plugin-secrets_manager_storage
• Owner: klarna-incubator
• License: apache-2.0
• Created: 2024-02-12T11:28:04.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2025-01-27T07:51:54.000Z (9 months ago)
• Last Synced: 2025-04-11T19:52:02.740Z (7 months ago)
• Topics: fastlane-ios, fastlane-plugin
• Language: Ruby
• Homepage:
• Size: 41 KB
• Stars: 5
• Watchers: 3
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Secrets Manager Storage

This plugin enables Fastlane users to store their provisioning profiles and signing keys securely in

AWS Secrets Manager by adding a `secrets_manager` storage backend to Fastlane match.

[![Build Status][ci-image]][ci-url] [![License][license-image]][license-url]

[![Developed at Klarna][klarna-image]][klarna-url]

[![fastlane Plugin Badge](https://rawcdn.githack.com/fastlane/fastlane/master/fastlane/assets/plugin-badge.svg)](https://rubygems.org/gems/fastlane-plugin-secrets_manager_storage)

Reasons to use this (compared to the git or s3 backend):

- your signing keys are stored securley (always encrypted) by default

- all access is controlled via AWS IAM and is fine-grained:

  - users can be granted access to review the secret's metadata separate from the ability to read

    the actual, unencrypted values

  - no need to manage a `MATCH_PASSWORD` – just use your existing AWS access controls

- all access to the decrypted keys is logged into AWS CloudTrail, providing an audit-trail to access

- Secret lifecycle can be tracked independently of Fastlane, enabling you to have alerts on secret

  age by using the secret's version metadata (e.g. Created On). **This is interesting because Apple

  provides no means of being notified about certificate expiration**.

  - certificates and mobileprovision Secrets will be tagged with `ExpiresOn` and other metadata

> :information_source: Fastlane plugins are only automatically loaded when using a Fastfile. This

> means that using a Matchfile or `fastlane match` commands will not work with this storage backing.

> We're happy to take contributions but we've always ended up writing Fastlane actions in our

> projects anyway (not using the `match` commands or `Matchfile`)

## Getting Started

This project is a [_fastlane_](https://github.com/fastlane/fastlane) plugin. To get started with

`fastlane-plugin-secrets_manager_storage`, add it to your project by running:

```bash

fastlane add_plugin secrets_manager_storage

```

You will then need to modify your Fastfile to have actions which use match/sync_code_signing use the

`secrets_manager` storage backend. You can look in [fastlane/Fastfile](fastlane/Fastfile) in this

repository for example use.

You will need to ensure that you have properly configured the environment to be able to access

Secrets Manager. If you use IAM Users then you may want to set `AWS_ACCESS_KEY_ID` and

`AWS_SECRET_ACCESS_KEY_ID` appropriately. AWS documentation

[explains how credentials are loaded](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html).

## Formatting

This project is formatted using Prettier. Simply run `rake prettier' to format

```

rake prettier

```

## Development setup

```sh

bundle install

yarn install

```

## How to contribute

See our guide on [contributing](.github/CONTRIBUTING.md).

## Release History

See our [changelog](CHANGELOG.md).

## About _fastlane_

_fastlane_ is the easiest way to automate beta deployments and releases for your iOS and Android

apps. To learn more, check out [fastlane.tools](https://fastlane.tools).

## License

Copyright © 2024 Klarna Bank AB

For license details, see the [LICENSE](LICENSE) file in the root of this project.

[ci-image]: https://img.shields.io/badge/build-passing-brightgreen?style=flat-square

[ci-url]: https://github.com/klarna-incubator/TODO

[license-image]: https://img.shields.io/badge/license-Apache%202-blue?style=flat-square

[license-url]: http://www.apache.org/licenses/LICENSE-2.0

[klarna-image]:

  https://img.shields.io/badge/%20-Developed%20at%20Klarna-black?style=flat-square&labelColor=ffb3c7&logo=klarna&logoColor=black

[klarna-url]: https://klarna.github.io