binxio/cfn-secret-provider binxio/cfn-secret-provider

  • Stars
    star
    140
  • Rank 261,473 (Top 6 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
binxio/cfn-secret-provider
github

binxio

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A CloudFormation custom resource provider for deploying secrets and keys

cfn-secret-provider

A CloudFormation custom resource provider for managing secrets, private keys and EC2 key pairs.

One of the biggest problems I encounter in creating immutable infrastructures, is dealing with secrets. Secrets must always be different per environment and therefore parameterized. As we automated all the things passwords often end up in parameter files and have to pass them around to people and applications: This is not a good thing. With this Custom CloudFormation Resource we put an end to that. Secrets are generated, stored in the EC2 parameter store and access to the secrets can be controlled through security policies.

How do I generate a secret?

It is quite easy: you specify a CloudFormation resource of the Custom::Secret, as follows:

  DBPassword:
    Type: Custom::Secret
    Properties:
      Name: /demo/PGPASSWORD
      KeyAlias: alias/aws/ssm
      Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      Length: 30
      ReturnSecret: true
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a 30 character random string can be found in the EC Parameter Store with the name /demo/PGPASSWORD.

If you need to access the secret in your cloudformation module, you need to specify ReturnSecret and reference it as the attribute Secret.

  Database:
    Type: AWS::RDS::DBInstance
    Properties:
      MasterUserPassword: !GetAtt 'DBPassword.Secret'

How do I add a private key?

In the same manner you can specify a RSA private key as a CloudFormation resource of the Custom::RSAKey:

  PrivateKey:
    Type: Custom::RSAKey
    Properties:
      Name: /demo/private-key
      KeyAlias: alias/aws/ssm
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a the newly generated private key can be found in the EC2 Parameter Store under the name /demo/private-key:

$ aws ssm get-parameter --name /demo/private-key --with-decryption --query Parameter.Value --output text

If you need to access the public key of the newly generated private key, you can reference it as the attribute PublicKey. Most likely, you would use this in the Custom::KeyPair resource, to create a EC2 key pair:

       KeyPair:
         Type: Custom::KeyPair
         DependsOn: CustomPrivateKey
         Properties:
           Name: CustomKeyPair
           PublicKeyMaterial: !GetAtt 'PrivateKey.PublicKey'
           ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

This will create the ec2 key pair for you named CustomKeyPair, based on the generated private key. Now private key is securely stored in the EC2 Parameter Store and the public key can be used to gain access to specific EC2 instances. See Amazon EC2 Key Pairs for more information.

Installation

To install these custom resources, type:

aws cloudformation create-stack \
       --capabilities CAPABILITY_IAM \
       --stack-name cfn-secret-provider \
       --template-body file://cloudformation/cfn-resource-provider.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-secret-provider

This CloudFormation template will use our pre-packaged provider from s3://binxio-public-${AWS_REGION}/lambdas/cfn-secret-provider-2.0.1.zip.

or use

Demo

To install the simple sample of the Custom Resource, type:

aws cloudformation create-stack \
    --capabilities CAPABILITY_NAMED_IAM \
    --stack-name cfn-secret-provider-demo \
    --template-body file://cloudformation/demo-stack.yaml
aws cloudformation wait stack-create-complete  --stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameter --name /cfn-secret-provider-demo/demo/PGPASSWORD --with-decryption
aws ssm get-parameter --name /cfn-secret-provider-demo/demo/private-key  --with-decryption
aws ec2 --output text describe-key-pairs --key-names cfn-secret-provider-demo-custom-key-pair

Conclusion

With this solution:

  • secrets are generated per environment
  • always stored encrypted in the parameter store
  • where access to the secrets is audited and controlled!

More Repositories

1

cfn-certificate-provider

A custom CloudFormation resource provider for creating DNS validated certificates in AWS
Python
149
star
2

aws-ssm-copy

Copy parameters from a AWS parameter store to another
Python
80
star
3

aws-cloudwatch-log-minder

command line utility and Lambda to maintain AWS Cloudwatch logs
Python
56
star
4

gcp-get-secret

A simple command line utility to get secrets from the Google Secret Manager into your environment
Go
50
star
5

cfn-ses-provider

A CloudFormation custom provider for managing DKIM records in route53
Python
47
star
6

ec2-elastic-ip-manager

Dynamic binding of AWS Elastic IP addresses to EC2 instances
Python
28
star
7

cfn-postgresql-user-provider

A CloudFormation custom resource provider for deploying PostgreSQL users and databases
Python
23
star
8

cfn-saml-provider

A CloudFormation custom resource provider for adding an IAM SAML provider.
Python
22
star
9

cfn-resource-provider

Base class for AWS CloudFormation Custom Resource Providers.
Python
21
star
10

blog-cron-supervisor-docker

Example usage of cron to run container background tasks
Dockerfile
21
star
11

simple-iap-proxy

Simple proxy for accessing private GKE master endpoints and other services behind a Google Identity Aware Proxy
Go
20
star
12

cfn-lb-ip-address-provider

A CloudFormation custom resource provider for obtaining the IP addresses of an AWS Network Load Balancer.
Makefile
19
star
13

blog-lambda-unit-testing-python

A repository for the blog 'AWS lambda unit testing with Python'
Makefile
19
star
14

cfn-mysql-user-provider

A CloudFormation custom provider for managing MySQL users
Python
18
star
15

aws-cfn-update

utility to programmatically update CloudFormation templates
Python
16
star
16

blog-lambda-custom-runtime

A repository for the blog 'Lambda Custom Runtime'
Python
15
star
17

cfn-lint-plugin

Intellij plugin for validating AWS CloudFormation templates using cfn-lint
Java
14
star
18

ec2-boot-mount-ebs-volume

Mount an EBS Volume and updates /etc/fstab on ec2 instance boot
Makefile
14
star
19

aws-ssh-tunnel

CLI for port forwarding sessions with private RDS and EC2 instances.
Python
14
star
20

cloud-dns-integrity-checker

Utility to check the integrity of your DNS managed zones at your cloud service provider
Go
13
star
21

serverless-cfnflip

A serverless implementation of cfn-flip using Lambdas and API Gateway
Ruby
12
star
22

auth0-login

CLI to obtain JWT, SAML tokens, and AWS credentials using Auth0, OAuth and SAML
Python
12
star
23

aws-login

A Role Based Access Wrapper for AWS.
Python
11
star
24

cfn-vpc-starter

Starter templates for VPCs including the generator.
Shell
10
star
25

wordpress-markdown-blog-loader

loads Markdown blogs into Wordpress
Python
10
star
26

generate-temp-aws-credentials

This solution creates temporary AWS credentials to access the management console, use the cli and for programmatic access.
Python
9
star
27

blog-configuring-google-global-load-balancer-application

Demonstration of the world wide deployment of the paas-monitor on Google Compute Engine
HCL
9
star
28

ssm-get-parameter

A simple command line utility to get parameter values from the AWS Parameter Store into the container environment
Go
9
star
29

blog-cdk-cicd-cdkpipeline

Example CDK CI/CD pipeline using CdkPipeline and a single AWS account
TypeScript
8
star
30

aws-lambda-git

This repository demonstrates how you can run the git binary. Inside an AWS Lambda function.
Python
8
star
31

cfn-waf-provider

A custom provider that for WAF with support for the creation of rate based rules
Python
7
star
32

ec2-network-interface-manager

Dynamic binding of AWS network interfaces addresses to EC2 instances
Python
7
star
33

cfn-kong-provider

Custom CloudFormation resource providers for managing KONG API Gateway
Python
7
star
34

ec2-volume-manager

manages the attachment of volumes to autoscaling group instances
Python
7
star
35

aws-sandbox-account

This projects helps to create a secure, personal AWS account.
6
star
36

aws-oidc-provider-refresher

updates the thumbprint list of AWS IAM Open ID connect providers.
Python
6
star
37

aws-account-destroyer

AWS CodeBuild project that will destroy your entire account every day at 23:00
Shell
6
star
38

python-gcloud-config-helper

get gcloud config credentials in Python
Python
5
star
39

slackbot-on-google-cloud-platform-template

A copier template to bootstrap a Slackbot on Google Cloud Platform
Jinja
5
star
40

git-release-tag

semantic version tag support for components in git repositories
Python
5
star
41

aws-hashicorp-packer-reaper

stop or terminate dangling packer instances on aws
Python
5
star
42

cfn-auth0-provider

A CloudFormation custom provider for managing Auth0.com resources
Python
5
star
43

cfn-cross-account-dns-provider

Manage DNS records in a Route53 Hosted Zone in another AWS Account, using a SNS backed custom CloudFormation resource.
Python
5
star
44

aws-maintenance-window-reporter

Reports AWS maintenance windows
Python
4
star
45

aws-docker-toolbox

This project contains the source of a docker container with a lot of AWS tools
Dockerfile
4
star
46

gcp-private-gke-connect-gateway-deployment-example

Deploy private GKE cluster resources using Connect Gateway
HCL
4
star
47

botocore-stubber-recorder

Records AWS botocore API calls and generates unit test base classes providing stubbed responses
Python
4
star
48

zonefile-migrate

Migrate DNS managed zones to CloudFormation or Terraform
Python
4
star
49

fromage

list and update container references in Dockerfiles in a git repository
Go
4
star
50

cfn-ami-provider

A custom CloudFormation resource provider for declaring AMIs by name
Python
4
star
51

blog-aws-api-gateway-service-integrations

A repository for the blog 'aws-api-gateway-service-integrations'
Makefile
4
star
52

cfn-tag-provider

CloudFormation custom resource provider for managing any AWS resource tags.
Python
4
star
53

aws-okta

TypeScript
4
star
54

datadog-deployer

A simple command line utility to deploy datadog monitors from code.
Python
3
star
55

cdk-plugin-example

Example AWS CDK Credential Provider Plugin
TypeScript
3
star
56

og-image-generator

The binx.io blog og image generator
Python
3
star
57

blog-lambda-circuit-breaker

A repository for the blog 'circuit breaker - aws lambda'
Python
3
star
58

datadog-exporter

command line utility for exporting datadog metrics
Python
3
star
59

terraform-aws-ha-vpc-module

Terraform module containing a highly available AWS VPC
HCL
3
star
60

adot-collector-image

Custom AWS Distro for OpenTelemetry sidecar container image, to push metrics/traces into X-Ray and Amazon Managed Prometheus.
Dockerfile
3
star
61

gcloudconfig

Google Cloud SDK Credentials helper
Go
3
star
62

terraform-google-privatebin

Terraform Module deploying privatebin on Cloud Run and GCS
HCL
3
star
63

one-app-two-clouds-four-stacks

A repository for the presentation 'One app, two clouds, four stacks'
TypeScript
3
star
64

svg-assets

SVG assets for presentations / Excalidraw
Makefile
3
star
65

cfn-kms-provider

A CloudFormation custom resource provider for creating KMS grants
Python
3
star
66

cru

Container Reference Updater - updates container image references
Go
3
star
67

azure-devops-extensions

Custom Azure DevOps Extensions Source Repository.
TypeScript
3
star
68

cfn-custom-provider-template

template source directory for creating AWS Custom CloudFormation Resources in Python
Makefile
3
star
69

encryption-at-rest-google-storage-buckets

Sample terraform project enabling encryption at rest with Google Storage Buckets using a customer managed key
HCL
3
star
70

terraform-aws-remote-state-module

Terraform module to provision remote backend resources in AWS.
HCL
3
star
71

terraform-cidr-expand

Terraform module to expand CIDR address to IP address list
HCL
2
star
72

python-cli-tool

Makefile
2
star
73

terraform-google-terraform-cloud-notification-sink

Sink for Terraform Cloud workspace run notifications
HCL
2
star
74

kfgs3

Python
2
star
75

cfn-global-accelerator-provider

A CloudFormation custom resource provider for the Global Accelerator
Python
2
star
76

gcp-hashicorp-packer-reaper

stop or terminate dangling packer instances on GCP
Python
2
star
77

kong-s3-log-forwarder

Kong API gateway log forwarder to s3
Go
2
star
78

blog-serverless-ci-cd-with-google-cloud-platform

sample source code belonging to the blog "How to create serverless CI/CD pipelines with Google Cloud Platform"
HCL
2
star
79

blog-how-to-expose-your-api-using-google-cloud-endpoints

deployment of an API with Google Endpoints using terraform
HCL
2
star
80

aws-ssm-fargate-secrets-blog

Python
2
star
81

blog-lambda-inline

A repository for the blog 'AWS lambda inline'
Makefile
2
star
82

gcp-conf-compute-analysis

How far can we keep a secret from Google GCP? A description.
TeX
2
star
83

terraform-google-artifact-registry

Generic Google Artifact Registry module for Terraform
HCL
2
star
84

sam-eventbridge-project

Cookiecutter template for AWS SAM and EventBridge rules
Makefile
2
star
85

blog-aws-ec2-ssh-setup

A repository for the blog 'Secure Shell (SSH) setup with Amazon EC2'
Makefile
2
star
86

aws-cdk-and-cdk8s-example-project

Go
2
star
87

terraform-aws-ssm-secrets

This module facilitates the creation of parameter store secure strings using the aws_kms_secrets data source, allowing us to keep and manage secret definitions in git without exposing them.
HCL
2
star
88

terraform-google-secret-manager

Generic google Secrets manager module for Terraform
HCL
1
star
89

terraform-aws-s3-bucket

Generic S3 module for Terraform
HCL
1
star
90

tf-serverless-image-caption-generator

Serverless application that generates captions for images uploaded to a bucket and stores the captions in Firestore. Deployed with Terraform.
HCL
1
star
91

terraform-replace-triggered-by

Exploring the replace_triggered_by lifecycle argument
HCL
1
star
92

blog-serverless-ci-cd-of-docker-images-with-aws

a CloudFormation template which creates a serverless CI/CD pipeline for Docker images in AWS
1
star
93

cookiecutter-bootstrap-ci-cd-pipeline-on-google-cloud-platform

Template for starting a serverless CI/CD pipeline on Google Cloud Platform
HCL
1
star
94

blog-serverless-battleship

A repository for the blog 'Serverless Battleship'
Python
1
star
95

sagemaker-with-service-catalog

How to create a self-service, on-demand Sagemaker for data analysts with AWS Service Catalog.
1
star
96

terraform-google-gke

Generic Google GKE module for Terraform
HCL
1
star
97

blog-cloudwatch-subscription-elasticsearch-lambda

A repository for the blog 'Ingesting CloudWatch logs in real-time with AWS Lambda and AWS Elasticsearch Service'
Python
1
star
98

terratest-runner

Run terratest from your Terraform directory
Dockerfile
1
star
99

terraform-google-cloudsql

Generic Google CloudSQL module for Terraform
HCL
1
star
100

blog-login-to-ec2-instances-without-ssh

code with blog How to login to EC2 instances without SSH
Python
1
star