Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/stechstudio/chalice_helpers

Some utilities for AWS Chalice
https://github.com/stechstudio/chalice_helpers

Last synced: 12 months ago
JSON representation

Some utilities for AWS Chalice

Awesome Lists containing this project

README 

          
# Chalice Helper

Some helper functions and utilities for Chalice applications. The encryption and decryption functions rely on 

[AWS Key Management Service (KMS)](https://aws.amazon.com/kms/) which is a managed service that makes it easy for you 

to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to 

protect the security of your keys.



## Install

```bash

$ pip install chalice_helpers

```



## Configuration

### Key Management System

Check out [Getting Started with KMS](https://aws.amazon.com/kms/getting-started/) and ensure that you have a key setup

that you can use in your development environment as well as be used by your Lambda role.



If you're not very familiar with KMS, you may want to take a look at the following docs:



* [KMS Concepts](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)

* [KMS Crypto Introduction](http://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html)

* [KMS Crypto Authentication](http://docs.aws.amazon.com/kms/latest/developerguide/crypto_authen.html)

* [KMS Encrypt Context](http://docs.aws.amazon.com/kms/latest/developerguide/encrypt-context.html)

* [KMS Crypto Terminology](http://docs.aws.amazon.com/kms/latest/developerguide/crypto-terminology.html)

* [KMS Grants](http://docs.aws.amazon.com/kms/latest/developerguide/grants.html)



### Chalice

Setup your `.chalice/config.json` with appropriate environment variables. Perhaps something like so.

```json

{

    "environment_variables": {

        "DB_HOST_WRITER": "api-cluster.cluster-xxxxxxxxxxx.us-east-1.rds.amazonaws.com",

        "DB_HOST_READER": "api-cluster.cluster-ro-xxxxxxxxxxx.us-east-1.rds.amazonaws.com",

        "SLACK_BOT_TOKEN": "AQICAHhH+BfUkiHo+TajPXITjEDsdso9QUbqN1vmkVbaph2bVwFLgTNUBzmKsh28Aul4o+p4AAAAqjCBpwYJKoZIhvcNAQcGoIGZMIGWAgEAMIGQBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDKjr3O4nSFKLfTJnHwIBEIBj6E4uUq5KBkb/nb7lSay0ETsRoZ/3a7yuw4uvcQYRWKx6J4LTUfrjAk98hM3HH7c2GKHB1qEozF7NA6Q4hL7KG2k3dVXGgxWefjTdIrlpt5c42SY1AAfaATUMBqARDiPzE1hr",

        "DB_DATABASE": "api-database",

        "DB_USERNAME": "api-username",

        "DB_PASSWORD_SECRET": "AQICAhHH+BfUkiKo+TajPXITjEDsdso9QUbqN1vnkVbaph2bVwFvyzHW+wn/TaQqtusTvV5WAAAAbDBqBgkqhkiG0w0BBwagXTBbAgEAMFYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYvoDJJkytmCMiy4QAgEQgCmbY3xKGkop2EIymI8tFzYSvcDknQEy3DOkX7RXFFBbaFbDJcfxkMbeXw=="

      }

  }

```



## Usage

### Command Line Tools

Encrypt a plaintext string, probably to set in a Chalice environment variable. 

```bash

$ kms-encrypt alias/some-kms-key 'A plaintext string'

AQICAHib94n55VYAGsQDxXZKuQdy85AW0GGbuyMmdm15thBVJwEj1ZLHx8LaUi3w0ETzRCTrAAAAcDBuBgkqhkiG9w0BBwagYTBfAgEAMFoGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMgQ3Jqbiab/UmCgABAgEQgC07be/jfDcxvfgknNfhu+3RaIFcG6Iq3j3BzrXc3Q5vd7PbqbUwhOwEOFh3psM=

```

> Note: You can either use the key itself `89d2b487-a3b0-b3c4-8566-8bd2x33bfe6a` or an aliase `alias/my-key-alias`.



Decrypt that string, to see if it is what you expected.

```bash

$ kms-decrypt AQICAHib94n55VYAGsQDxXZKuQdy85AW0GGbuyMmdm15thBVJwEj1ZLHx8LaUi3w0ETzRCTrAAAAcDBuBgkqhkiG9w0BBwagYTBfAgEAMFoGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMgQ3Jqbiab/UmCgABAgEQgC07be/jfDcxvfgknNfhu+3RaIFcG6Iq3j3BzrXc3Q5vd7PbqbUwhOwEOFh3psM=

A plaintext string

```

### Code

```python

#!/usr/bin/env python



from chalice_helpers import env, env_secret



def __db_writer(self):

    return self.__get_conn(host=env('DB_HOST_WRITER', 'localhost'),

                            user=env('DB_USERNAME', 'root'),

                            passwd=env('DB_PASSWORD_SECRET', '*****'),

                            db=env('DB_DATABASE', 'dev'))



def __db_reader(self):

    return self.__get_conn(host=env('DB_HOST_READER', 'localhost'),

                            user=env('DB_USERNAME', 'root'),

                            passwd=env_secret('DB_PASSWORD_SECRET', '*****'),

                            db=env('DB_DATABASE', 'dev'))

```



By convention, any environment variable that ends with **_SECRET** will have the value decrypted before returned.

However, if you prefer to not follow that convention you can call `chalice_helpers.env_secret('DB_PASSWORD', '*****')`



You will also find the `chalice_helpers.encrypt(key_id, plaintext)` and `chalice_helpers.decrypt(encoded)` functions

available if you need to use them in your function.