|
|
|
|
|
|
by 45h34jh53k4j
3587 days ago
|
|
|
I like this design. Infrastructure as code. Store your config data in you repo. Screw 12 factors. You can do this with the inhouse AWS tools, awscli and boto3 for python
This was for use within a python lambda function so i used the secrets in a seperate file, but no loss of generality here. * Create your keys in KMS via Web UI or otherwise
* encrypt your secrets before commit
aws kms encrypt --key-id alias/TokenKey --plaintext fileb://unencrypted_token --output text --query CiphertextBlob > encrypted_token Decrypt the token from your python lambda function with boto3 kms = boto3.client('kms')
token = kms.decrypt(CiphertextBlob=base64.b64decode(token_encrypted))['Plaintext'].decode('ascii') The blob from KMS contains the appropriate fields for decryption from their service.
Give the lambda role rights to decrypt with the key. |
|
|