# AWS Secrets CLI
## SonarCloud Status
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)
## About
AWS Secrets CLI is a tool to manage [SSM Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) (SecureString and String) using KMS to encrypt your information. This tool enables you to store your secrets information without exposing it to your git repository.
## Motivation
When you need to manage SSM parameter (SecureString) in multiple AWS Environments you need to create or update manually, because [CloudFormation](https://aws.amazon.com/pt/cloudformation/) doesn't support SSM parameter type Secure, you can use AWS CLI or boto3 to establish the parameters for you, but you need to read the secrets values from somewhere. You can't store into your git repository.
AWS Secrets CLI provides you a Command Line Interface that manages your secrets using [KMS](https://aws.amazon.com/pt/kms/), so you can store the config file into your git repository because your secrets will not expose, only for people that have access to KMS Key.
## Install
```shell
pip install aws-ssm-secrets-cli
```
## Requirements
It is necessary to create a KMS key before starting to create the parameter using the CLI.
You can create this key using AWS CLI, AWS SDK, console, or CloudFormation:
Example using CloudFormation:
```yaml
Description: "KMS Key for Secrest"
Resources:
Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:GenerateDataKey
- kms:TagResource
- kms:UntagResource
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Resource: "*"
- Action:
- kms:Decrypt
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Resource: "*"
Version: "2012-10-17"
Description: AWS KMS Key for secrets
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/infra-scripts-secrets
TargetKeyId: !GetAtt Key.Arn
Outputs:
KeyArn:
Description: KMS Key Arn
Value: !GetAtt Key.Arn
```
## Getting Started
### Our fist config
For naming convention, you should give the environment name for the file name (e.g., dev.yaml)
```yaml
kms:
arn: KMS_KEY_ARN (String) #Required
encryption_sdk: "aws_encryption_sdk"
parameters:
- name: myparametername
value: "MySecretValueHere"
type: SecureString
secrets:
- name: mysecretname
value: "MySecretValueHere"
```
or AWS Secrets manager with object
```yaml
kms:
arn: KMS_KEY_ARN (String) #Required
encryption_sdk: "aws_encryption_sdk"
parameters:
- name: myparametername
value: "MySecretValueHere"
type: SecureString
secrets:
- name: mysecretname
value:
user: myusername
password: mypassword
```
### Encrypt
To encrypt the parameter values, you need to use this command:
```shell
aws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1
```
### Decrypt
To edit the values, you can decrypt and re-encrypt the parameter values. You need to use this command:
```shell
aws-secrets decrypt -e dev.yaml --profile myprofile --region eu-west-1
```
At this moment, a new file has created `dev.yaml.dec`. If you want to decrypt in overwrite mode put the `--output` option with the same file name that you are decrypting.
```shell
aws-secrets decrypt -e dev.yaml --output dev.yaml --profile myprofile --region eu-west-1
```
After your changes you need to re-encrypt, you can do it using this command:
```shell
aws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1
```
### Create parameters into AWS Account
To deploy the parameter that you created on the last step, you need to execute this command:
```shell
aws-secrets deploy -e dev.yaml --profile myaws-profile --region eu-west-1
```
Now your parameters have been created in AWS Account.
## Migrate KMS API to AWS Encryption SDK
The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data. The AWS Encryption SDK is provided free of charge under the Apache 2.0 license.
Full documentation: <https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html>
Using AWS Encryption enables AWS Secrets CLI to encrypt data with more than 4KB.
### Migration process
1. Decrypt all SSM parameter and Secrets manager:
```shell
aws-secrets decrypt -e dev.yaml --output dev.yaml --profile myprofile --region eu-west-1
```
2. Update YAML configuration to add the `encryption_sdk` with `aws_encryption_sdk` value.
```yaml
kms:
arn: KMS_KEY_ARN
encryption_sdk: "aws_encryption_sdk"
parameters:
- name: myparametername
value: "MySecretValueHere"
type: SecureString
secrets:
- name: mysecretname
value: "MySecretValueHere"
```
> Currently, the default value is `boto3`
3. Re-encrypt the YAML configuration file
```shell
aws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1
```
## Configuration Schema
```yaml
tags: # Global tags, applied to all the resources
key: 'string' # key/value pair
kms:
arn: 'string' # Required, KMS ARN
encryption_sdk: 'aws_encryption_sdk' | 'boto3'
parameters: # AWS SSM Parameter Section
- name: 'string' # Required, Parameter Name
description: 'string' # Optional, Parameter Description
type: 'String|SecureString' # Required, Parameter Type
value: 'string' # Required only for Type 'String' or if it is some YAML tag (e.g. !file or !cmd)
tier: 'Standard|Advanced|Intelligent-Tiering' # Optional, Parameter Tier, default 'Standard'
tags: # Optional, Parameter Tags, it is extended with the global tags
key: 'string'
secrets: # AWS Secrets Manager secrets Section
- name: 'string' # Required, Secret Name
description: 'string' # Optional, Secret Description
value: 'string' # Required only if it is some YAML tag (e.g. !file or !cmd)
tags: # Optional, Secret Tags, it is extended with the global tags
key: 'string'
secrets_file: 'Path' # Optional, Secrets file path, default '<config-filename>.secrets.yaml'
```
## Command Line Interface
Command options differ depending on the command, and can be found by running:
```shell
aws-secrets --help
aws-secrets COMMAND --help
```
### encrypt
To encrypt SecureString parameters and secrets values in the environment file.
```shell
aws-secrets encrypt
--env-file
[--profile]
[--region]
```
#### Options
| Option | Description | Data Type | Required | Options | Default |
| -------------------- | --------------------- | --------- | -------- | ------- | ------- |
| `--env-file` or `-e` | Environment file path | `String` | `true` | | |
| `--profile` | AWS Profile | `String` | `false` | | |
| `--region` | AWS Region | `String` | `false` | | |
### decrypt
To decrypt SecureString parameters and secrets values in the environment file.
```shell
aws-secrets decrypt
--env-file
[--profile]
[--region]
```
#### Options
| Option | Description | Data Type | Required | Options | Default |
| -------------------- | --------------------- | --------- | -------- | ------- | ------- |
| `--env-file` or `-e` | Environment file path | `String` | `true` | | |
| `--profile` | AWS Profile | `String` | `false` | | |
| `--region` | AWS Region | `String` | `false` | | |
### set-parameter
Create or modify the SSM parameter in the environment file.
```shell
aws-secrets set-parameter
--env-file
--name
[--description]
[--kms]
[--type]
[--profile]
[--region]
```
#### Options
| Option | Description | Data Type | Required | Options | Default |
| ----------------------- | ------------------------- | --------- | -------- | --------------------------- | -------------- |
| `--env-file` or `-e` | Environment file path | `String` | `true` |
| `--name` or `-n` | SSM Parameter Name | `String` | `true` | | |
| `--description` or `-d` | SSM Parameter Description | `String` | `false` | | |
| `--type` or `-t` | SSM Parameter Type | `String` | `true` | `String` and `SecureString` | `SecureString` |
| `--kms` or `-k` | KMS Id or ARN | `String` | `true` | | |
| `--profile` | AWS Profile | `String` | `false` | | |
| `--region` | AWS Region | `String` | `false` | | |
### set-secret
Create or modify secrets in the environment file.
```shell
aws-secrets set-secret
--env-file
--name
[--description]
[--kms]
[--profile]
[--region]
```
#### Options
| Option | Description | Data Type | Required | Options | Default |
| ----------------------- | --------------------- | --------- | -------- | ------- | ------- |
| `--env-file` or `-e` | Environment file path | `String` | `true` | | |
| `--name` or `-n` | Secret Name | `String` | `true` | | |
| `--description` or `-d` | Secret Description | `String` | `false` | | |
| `--kms` or `-k` | KMS Id or ARN | `String` | `true` | | |
| `--profile` | AWS Profile | `String` | `false` | | |
| `--region` | AWS Region | `String` | `false` | | |
### view-parameter
View the SSM parameter value in the environment file.
```shell
aws-secrets view-parameter
--env-file
--name
[--profile]
[--region]
```
#### Options
| Option | Description | Data Type | Required | Options | Default |
| -------------------- | --------------------- | --------- | -------- | ------- | ------- |
| `--env-file` or `-e` | Environment file path | `String` | `true` | | |
| `--name` or `-n` | SSM Parameter Name | `String` | `true` | | |
| `--profile` | AWS Profile | `String` | `false` | | |
| `--region` | AWS Region | `String` | `false` | | |
### deploy
Create or update SSM parameters and secrets in the AWS Account.
```shell
aws-secrets deploy
--env-file
[--filter-pattern]
[--dry-run]
[--confirm]
[--only-secrets]
[--only-parameters]
[--profile]
[--region]
```
#### Options
| Option | Description | Data Type | Required | Options | Default |
| -------------------- | ------------------------------------------------------------------------------------------------------- | --------- | -------- | ------- | ------- |
| `--env-file` or `-e` | Environment file path | `String` | `true` | | |
| `--filter-pattern` | Filter Pattern (e.g `/app/db/*/password` match with `/app/db/dev/password` or `/app/db/prod/password` ) | `String` | `false` | | |
| `--dry-run` | Execution without apply the changes on the environment | `Boolean` | `false` | | `false` |
| `--confirm` | Confirm prompt before apply the changes | `Boolean` | `false` | | `false` |
| `--only-secrets` | Apply changes just for AWS Secrets | `Boolean` | `false` | | `false` |
| `--only-parameters` | Apply changes just for SSM Parameters | `Boolean` | `false` | | `false` |
| `--profile` | AWS Profile | `String` | `false` | | |
| `--region` | AWS Region | `String` | `false` | | |
#### Resolvers
This CLI implements resolvers, which can be used to resolve the value of a command output or a CloudFormation output value.
##### !file
This resolver is designed to load a file content to the SSM Parameter or Secrets Manager Value.
Example:
```yaml
---
secrets:
- name: mysecret
value: !file myfile.txt
```
##### !cf_output
This resolver can be used in `parameters[*].value`, `secrets[*].value` and `kms.arn` properties.
Example:
```yaml
kms:
arn: !cf_output "mystack.MyOutputKey"
parameters:
- name: myparameter-name
type: String
value: !cf_output "mystack.MyOutputKey"
```
```yaml
kms:
arn: !cf_output "mystack.MyOutputKey.us-east-1"
parameters:
- name: myparameter-name
type: String
value: !cf_output "mystack.MyOutputKey.us-east-1"
```
##### !cmd
This resolver can be used in `parameters[*].value` and `secrets[*].value` properties.
Example:
```yaml
kms:
arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
parameters:
- name: myparameter-name
type: SecureString
value: !cmd 'echo "Teste"'
```
###### providers
###### cf
CloudFormation Stack Output resolver
Usage
```text
${cf:stack-name.output-name}
```
With default values
```text
${cf:stack-name.output-name, 'mydefaultvalue'}
```
###### session
AWS Credentials Session resolver
Usage
```text
${session:profile} or ${session:region}
```
With default values
```text
${session:profile, 'myprofile'} or ${session:region, 'us-east-1'}
```
###### aws
AWS Provider resolves the AWS CLI `--profile` and `--region` based on the `aws-secrets` CLI.
Usage
```text
${aws:profile} or ${aws:region}
```
With default values
```text
${aws:profile, 'myprofile'} or ${aws:region, 'us-east-1'}
```
**Example**:
With the config file:
```yaml
kms:
arn: !cf_output "mystack.KeyArn"
parameters:
- description: My SSM Parameter
name: /my/ssm/param
type: SecureString
value: !cmd 'aws s3 ls ${aws:profile} ${aws:region, "eu-west-1"}'
```
When run the `aws-secrets` with the `--profile` or `--region`
```shell
aws-secrets -e conf.yaml --profile myprofile --region us-east-1
```
The AWS CLI command will be execute this command:
```shell
aws s3 ls --profile myprofile --region us-east-1
```
If `--profile` not be speficied in the `aws-secrets` execution, like this:
```shell
aws-secrets -e conf.yaml --region us-east-1
```
The AWS CLI command will be execute this command:
```shell
aws s3 ls --region eu-west-1
```
> The `--region` continue in the command because the resolver has the default value with `eu-west-1` in the config file.
### Global Tags
You also can include Tags on a global level:
```yaml
tags:
SomeKey: SomeValue
kms:
arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
parameters: ...
secrets: ...
```
Raw data
{
"_id": null,
"home_page": "https://github.com/lucasvieirasilva/aws-ssm-secrets-cli",
"name": "aws-ssm-secrets-cli",
"maintainer": "Lucas Vieira",
"docs_url": null,
"requires_python": "<4.0,>=3.8.1",
"maintainer_email": "lucas.vieira94@outlook.com",
"keywords": "AWS, SECRETS, SSM, MANAGER",
"author": "Lucas Vieira",
"author_email": "lucas.vieira94@outlook.com",
"download_url": "https://files.pythonhosted.org/packages/1b/c3/bd8d2867154430469633cbaef827faab2f15ec411ed61625c544d11e2391/aws_ssm_secrets_cli-2.6.0.tar.gz",
"platform": null,
"description": "# AWS Secrets CLI\n\n## SonarCloud Status\n\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n[](https://sonarcloud.io/dashboard?id=lucasvieirasilva_aws-ssm-secrets-cli)\n\n## About\n\nAWS Secrets CLI is a tool to manage [SSM Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) (SecureString and String) using KMS to encrypt your information. This tool enables you to store your secrets information without exposing it to your git repository.\n\n## Motivation\n\nWhen you need to manage SSM parameter (SecureString) in multiple AWS Environments you need to create or update manually, because [CloudFormation](https://aws.amazon.com/pt/cloudformation/) doesn't support SSM parameter type Secure, you can use AWS CLI or boto3 to establish the parameters for you, but you need to read the secrets values from somewhere. You can't store into your git repository.\n\nAWS Secrets CLI provides you a Command Line Interface that manages your secrets using [KMS](https://aws.amazon.com/pt/kms/), so you can store the config file into your git repository because your secrets will not expose, only for people that have access to KMS Key.\n\n## Install\n\n```shell\npip install aws-ssm-secrets-cli\n```\n\n## Requirements\n\nIt is necessary to create a KMS key before starting to create the parameter using the CLI.\n\nYou can create this key using AWS CLI, AWS SDK, console, or CloudFormation:\n\nExample using CloudFormation:\n\n```yaml\nDescription: \"KMS Key for Secrest\"\nResources:\n Key:\n Type: AWS::KMS::Key\n Properties:\n KeyPolicy:\n Statement:\n - Action:\n - kms:Create*\n - kms:Describe*\n - kms:Enable*\n - kms:List*\n - kms:Put*\n - kms:Update*\n - kms:Revoke*\n - kms:Disable*\n - kms:Get*\n - kms:Delete*\n - kms:ScheduleKeyDeletion\n - kms:CancelKeyDeletion\n - kms:GenerateDataKey\n - kms:TagResource\n - kms:UntagResource\n Effect: Allow\n Principal:\n AWS: !Sub \"arn:aws:iam::${AWS::AccountId}:root\"\n Resource: \"*\"\n - Action:\n - kms:Decrypt\n - kms:Encrypt\n - kms:ReEncrypt*\n - kms:GenerateDataKey*\n Effect: Allow\n Principal:\n AWS: !Sub \"arn:aws:iam::${AWS::AccountId}:root\"\n Resource: \"*\"\n Version: \"2012-10-17\"\n Description: AWS KMS Key for secrets\n UpdateReplacePolicy: Retain\n DeletionPolicy: Retain\n\n KeyAlias:\n Type: AWS::KMS::Alias\n Properties:\n AliasName: alias/infra-scripts-secrets\n TargetKeyId: !GetAtt Key.Arn\n\nOutputs:\n KeyArn:\n Description: KMS Key Arn\n Value: !GetAtt Key.Arn\n```\n\n## Getting Started\n\n### Our fist config\n\nFor naming convention, you should give the environment name for the file name (e.g., dev.yaml)\n\n```yaml\nkms:\n arn: KMS_KEY_ARN (String) #Required\nencryption_sdk: \"aws_encryption_sdk\"\nparameters:\n - name: myparametername\n value: \"MySecretValueHere\"\n type: SecureString\nsecrets:\n - name: mysecretname\n value: \"MySecretValueHere\"\n```\n\nor AWS Secrets manager with object\n\n```yaml\nkms:\n arn: KMS_KEY_ARN (String) #Required\nencryption_sdk: \"aws_encryption_sdk\"\nparameters:\n - name: myparametername\n value: \"MySecretValueHere\"\n type: SecureString\nsecrets:\n - name: mysecretname\n value:\n user: myusername\n password: mypassword\n```\n\n### Encrypt\n\nTo encrypt the parameter values, you need to use this command:\n\n```shell\naws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1\n```\n\n### Decrypt\n\nTo edit the values, you can decrypt and re-encrypt the parameter values. You need to use this command:\n\n```shell\naws-secrets decrypt -e dev.yaml --profile myprofile --region eu-west-1\n```\n\nAt this moment, a new file has created `dev.yaml.dec`. If you want to decrypt in overwrite mode put the `--output` option with the same file name that you are decrypting.\n\n```shell\naws-secrets decrypt -e dev.yaml --output dev.yaml --profile myprofile --region eu-west-1\n```\n\nAfter your changes you need to re-encrypt, you can do it using this command:\n\n```shell\naws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1\n```\n\n### Create parameters into AWS Account\n\nTo deploy the parameter that you created on the last step, you need to execute this command:\n\n```shell\naws-secrets deploy -e dev.yaml --profile myaws-profile --region eu-west-1\n```\n\nNow your parameters have been created in AWS Account.\n\n## Migrate KMS API to AWS Encryption SDK\n\nThe AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data. The AWS Encryption SDK is provided free of charge under the Apache 2.0 license.\n\nFull documentation: <https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html>\n\nUsing AWS Encryption enables AWS Secrets CLI to encrypt data with more than 4KB.\n\n### Migration process\n\n1. Decrypt all SSM parameter and Secrets manager:\n\n```shell\naws-secrets decrypt -e dev.yaml --output dev.yaml --profile myprofile --region eu-west-1\n```\n\n2. Update YAML configuration to add the `encryption_sdk` with `aws_encryption_sdk` value.\n\n```yaml\nkms:\n arn: KMS_KEY_ARN\nencryption_sdk: \"aws_encryption_sdk\"\nparameters:\n - name: myparametername\n value: \"MySecretValueHere\"\n type: SecureString\nsecrets:\n - name: mysecretname\n value: \"MySecretValueHere\"\n```\n\n> Currently, the default value is `boto3`\n\n3. Re-encrypt the YAML configuration file\n\n```shell\naws-secrets encrypt -e dev.yaml --profile myprofile --region eu-west-1\n```\n\n## Configuration Schema\n\n```yaml\ntags: # Global tags, applied to all the resources\n key: 'string' # key/value pair\nkms:\n arn: 'string' # Required, KMS ARN\nencryption_sdk: 'aws_encryption_sdk' | 'boto3'\nparameters: # AWS SSM Parameter Section\n - name: 'string' # Required, Parameter Name\n description: 'string' # Optional, Parameter Description\n type: 'String|SecureString' # Required, Parameter Type\n value: 'string' # Required only for Type 'String' or if it is some YAML tag (e.g. !file or !cmd)\n tier: 'Standard|Advanced|Intelligent-Tiering' # Optional, Parameter Tier, default 'Standard'\n tags: # Optional, Parameter Tags, it is extended with the global tags\n key: 'string'\nsecrets: # AWS Secrets Manager secrets Section\n - name: 'string' # Required, Secret Name\n description: 'string' # Optional, Secret Description\n value: 'string' # Required only if it is some YAML tag (e.g. !file or !cmd)\n tags: # Optional, Secret Tags, it is extended with the global tags\n key: 'string'\nsecrets_file: 'Path' # Optional, Secrets file path, default '<config-filename>.secrets.yaml'\n```\n\n## Command Line Interface\n\nCommand options differ depending on the command, and can be found by running:\n\n```shell\naws-secrets --help\naws-secrets COMMAND --help\n```\n\n### encrypt\n\nTo encrypt SecureString parameters and secrets values in the environment file.\n\n```shell\naws-secrets encrypt\n --env-file\n [--profile]\n [--region]\n```\n\n#### Options\n\n| Option | Description | Data Type | Required | Options | Default |\n| -------------------- | --------------------- | --------- | -------- | ------- | ------- |\n| `--env-file` or `-e` | Environment file path | `String` | `true` | | |\n| `--profile` | AWS Profile | `String` | `false` | | |\n| `--region` | AWS Region | `String` | `false` | | |\n\n### decrypt\n\nTo decrypt SecureString parameters and secrets values in the environment file.\n\n```shell\naws-secrets decrypt\n --env-file\n [--profile]\n [--region]\n```\n\n#### Options\n\n| Option | Description | Data Type | Required | Options | Default |\n| -------------------- | --------------------- | --------- | -------- | ------- | ------- |\n| `--env-file` or `-e` | Environment file path | `String` | `true` | | |\n| `--profile` | AWS Profile | `String` | `false` | | |\n| `--region` | AWS Region | `String` | `false` | | |\n\n### set-parameter\n\nCreate or modify the SSM parameter in the environment file.\n\n```shell\naws-secrets set-parameter\n --env-file\n --name\n [--description]\n [--kms]\n [--type]\n [--profile]\n [--region]\n```\n\n#### Options\n\n| Option | Description | Data Type | Required | Options | Default |\n| ----------------------- | ------------------------- | --------- | -------- | --------------------------- | -------------- |\n| `--env-file` or `-e` | Environment file path | `String` | `true` |\n| `--name` or `-n` | SSM Parameter Name | `String` | `true` | | |\n| `--description` or `-d` | SSM Parameter Description | `String` | `false` | | |\n| `--type` or `-t` | SSM Parameter Type | `String` | `true` | `String` and `SecureString` | `SecureString` |\n| `--kms` or `-k` | KMS Id or ARN | `String` | `true` | | |\n| `--profile` | AWS Profile | `String` | `false` | | |\n| `--region` | AWS Region | `String` | `false` | | |\n\n### set-secret\n\nCreate or modify secrets in the environment file.\n\n```shell\naws-secrets set-secret\n --env-file\n --name\n [--description]\n [--kms]\n [--profile]\n [--region]\n```\n\n#### Options\n\n| Option | Description | Data Type | Required | Options | Default |\n| ----------------------- | --------------------- | --------- | -------- | ------- | ------- |\n| `--env-file` or `-e` | Environment file path | `String` | `true` | | |\n| `--name` or `-n` | Secret Name | `String` | `true` | | |\n| `--description` or `-d` | Secret Description | `String` | `false` | | |\n| `--kms` or `-k` | KMS Id or ARN | `String` | `true` | | |\n| `--profile` | AWS Profile | `String` | `false` | | |\n| `--region` | AWS Region | `String` | `false` | | |\n\n### view-parameter\n\nView the SSM parameter value in the environment file.\n\n```shell\naws-secrets view-parameter\n --env-file\n --name\n [--profile]\n [--region]\n```\n\n#### Options\n\n| Option | Description | Data Type | Required | Options | Default |\n| -------------------- | --------------------- | --------- | -------- | ------- | ------- |\n| `--env-file` or `-e` | Environment file path | `String` | `true` | | |\n| `--name` or `-n` | SSM Parameter Name | `String` | `true` | | |\n| `--profile` | AWS Profile | `String` | `false` | | |\n| `--region` | AWS Region | `String` | `false` | | |\n\n### deploy\n\nCreate or update SSM parameters and secrets in the AWS Account.\n\n```shell\naws-secrets deploy\n --env-file\n [--filter-pattern]\n [--dry-run]\n [--confirm]\n [--only-secrets]\n [--only-parameters]\n [--profile]\n [--region]\n```\n\n#### Options\n\n| Option | Description | Data Type | Required | Options | Default |\n| -------------------- | ------------------------------------------------------------------------------------------------------- | --------- | -------- | ------- | ------- |\n| `--env-file` or `-e` | Environment file path | `String` | `true` | | |\n| `--filter-pattern` | Filter Pattern (e.g `/app/db/*/password` match with `/app/db/dev/password` or `/app/db/prod/password` ) | `String` | `false` | | |\n| `--dry-run` | Execution without apply the changes on the environment | `Boolean` | `false` | | `false` |\n| `--confirm` | Confirm prompt before apply the changes | `Boolean` | `false` | | `false` |\n| `--only-secrets` | Apply changes just for AWS Secrets | `Boolean` | `false` | | `false` |\n| `--only-parameters` | Apply changes just for SSM Parameters | `Boolean` | `false` | | `false` |\n| `--profile` | AWS Profile | `String` | `false` | | |\n| `--region` | AWS Region | `String` | `false` | | |\n\n#### Resolvers\n\nThis CLI implements resolvers, which can be used to resolve the value of a command output or a CloudFormation output value.\n\n##### !file\n\nThis resolver is designed to load a file content to the SSM Parameter or Secrets Manager Value.\n\nExample:\n\n```yaml\n\n---\nsecrets:\n - name: mysecret\n value: !file myfile.txt\n```\n\n##### !cf_output\n\nThis resolver can be used in `parameters[*].value`, `secrets[*].value` and `kms.arn` properties.\n\nExample:\n\n```yaml\nkms:\n arn: !cf_output \"mystack.MyOutputKey\"\nparameters:\n - name: myparameter-name\n type: String\n value: !cf_output \"mystack.MyOutputKey\"\n```\n\n```yaml\nkms:\n arn: !cf_output \"mystack.MyOutputKey.us-east-1\"\nparameters:\n - name: myparameter-name\n type: String\n value: !cf_output \"mystack.MyOutputKey.us-east-1\"\n```\n\n##### !cmd\n\nThis resolver can be used in `parameters[*].value` and `secrets[*].value` properties.\n\nExample:\n\n```yaml\nkms:\n arn: \"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\"\nparameters:\n - name: myparameter-name\n type: SecureString\n value: !cmd 'echo \"Teste\"'\n```\n\n###### providers\n\n###### cf\n\nCloudFormation Stack Output resolver\n\nUsage\n\n```text\n${cf:stack-name.output-name}\n```\n\nWith default values\n\n```text\n${cf:stack-name.output-name, 'mydefaultvalue'}\n```\n\n###### session\n\nAWS Credentials Session resolver\n\nUsage\n\n```text\n${session:profile} or ${session:region}\n```\n\nWith default values\n\n```text\n${session:profile, 'myprofile'} or ${session:region, 'us-east-1'}\n```\n\n###### aws\n\nAWS Provider resolves the AWS CLI `--profile` and `--region` based on the `aws-secrets` CLI.\n\nUsage\n\n```text\n${aws:profile} or ${aws:region}\n```\n\nWith default values\n\n```text\n${aws:profile, 'myprofile'} or ${aws:region, 'us-east-1'}\n```\n\n**Example**:\n\nWith the config file:\n\n```yaml\nkms:\n arn: !cf_output \"mystack.KeyArn\"\nparameters:\n - description: My SSM Parameter\n name: /my/ssm/param\n type: SecureString\n value: !cmd 'aws s3 ls ${aws:profile} ${aws:region, \"eu-west-1\"}'\n```\n\nWhen run the `aws-secrets` with the `--profile` or `--region`\n\n```shell\naws-secrets -e conf.yaml --profile myprofile --region us-east-1\n```\n\nThe AWS CLI command will be execute this command:\n\n```shell\naws s3 ls --profile myprofile --region us-east-1\n```\n\nIf `--profile` not be speficied in the `aws-secrets` execution, like this:\n\n```shell\naws-secrets -e conf.yaml --region us-east-1\n```\n\nThe AWS CLI command will be execute this command:\n\n```shell\naws s3 ls --region eu-west-1\n```\n\n> The `--region` continue in the command because the resolver has the default value with `eu-west-1` in the config file.\n\n### Global Tags\n\nYou also can include Tags on a global level:\n\n```yaml\ntags:\n SomeKey: SomeValue\nkms:\n arn: \"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\"\nparameters: ...\nsecrets: ...\n```\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "AWS Secret CLI for manage SSM SecureString and SecretsManager",
"version": "2.6.0",
"project_urls": {
"Homepage": "https://github.com/lucasvieirasilva/aws-ssm-secrets-cli",
"Repository": "https://github.com/lucasvieirasilva/aws-ssm-secrets-cli"
},
"split_keywords": [
"aws",
" secrets",
" ssm",
" manager"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "732c8acbe1761ed8ed10ee898ac2eba49fea26dbc079d18484a7cc7debbf4731",
"md5": "288db2be57d6c8f4857694119794ea03",
"sha256": "cab82f097f0f66891f1f8f808c32195ad249b5ad52ad50082422a9dbdac05704"
},
"downloads": -1,
"filename": "aws_ssm_secrets_cli-2.6.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "288db2be57d6c8f4857694119794ea03",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.8.1",
"size": 39779,
"upload_time": "2024-07-18T11:04:15",
"upload_time_iso_8601": "2024-07-18T11:04:15.099150Z",
"url": "https://files.pythonhosted.org/packages/73/2c/8acbe1761ed8ed10ee898ac2eba49fea26dbc079d18484a7cc7debbf4731/aws_ssm_secrets_cli-2.6.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "1bc3bd8d2867154430469633cbaef827faab2f15ec411ed61625c544d11e2391",
"md5": "97efd8e0174296d3e688cb57b5ef7424",
"sha256": "8ecffae36c49924d356e62200dda8b5563b6bb5dde48e954b51438a023c2185b"
},
"downloads": -1,
"filename": "aws_ssm_secrets_cli-2.6.0.tar.gz",
"has_sig": false,
"md5_digest": "97efd8e0174296d3e688cb57b5ef7424",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.8.1",
"size": 27684,
"upload_time": "2024-07-18T11:04:16",
"upload_time_iso_8601": "2024-07-18T11:04:16.766533Z",
"url": "https://files.pythonhosted.org/packages/1b/c3/bd8d2867154430469633cbaef827faab2f15ec411ed61625c544d11e2391/aws_ssm_secrets_cli-2.6.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-07-18 11:04:16",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "lucasvieirasilva",
"github_project": "aws-ssm-secrets-cli",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "aws-ssm-secrets-cli"
}
JSON
