Chalice Helper

Some helper functions and utilities for Chalice applications. The encryption and decryption functions rely on AWS Key Management Service (KMS) which is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys.

Install

$ pip install chalice_helpers

Configuration

Key Management System

Check out Getting Started with KMS and ensure that you have a key setup that you can use in your development environment as well as be used by your Lambda role.

If you're not very familiar with KMS, you may want to take a look at the following docs:

• KMS Concepts
• KMS Crypto Introduction
• KMS Crypto Authentication
• KMS Encrypt Context
• KMS Crypto Terminology
• KMS Grants

Chalice

Setup your .chalice/config.json with appropriate environment variables. Perhaps something like so.

{
    "environment_variables": {
        "DB_HOST_WRITER": "api-cluster.cluster-xxxxxxxxxxx.us-east-1.rds.amazonaws.com",
        "DB_HOST_READER": "api-cluster.cluster-ro-xxxxxxxxxxx.us-east-1.rds.amazonaws.com",
        "SLACK_BOT_TOKEN": "AQICAHhH+BfUkiHo+TajPXITjEDsdso9QUbqN1vmkVbaph2bVwFLgTNUBzmKsh28Aul4o+p4AAAAqjCBpwYJKoZIhvcNAQcGoIGZMIGWAgEAMIGQBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDKjr3O4nSFKLfTJnHwIBEIBj6E4uUq5KBkb/nb7lSay0ETsRoZ/3a7yuw4uvcQYRWKx6J4LTUfrjAk98hM3HH7c2GKHB1qEozF7NA6Q4hL7KG2k3dVXGgxWefjTdIrlpt5c42SY1AAfaATUMBqARDiPzE1hr",
        "DB_DATABASE": "api-database",
        "DB_USERNAME": "api-username",
        "DB_PASSWORD_SECRET": "AQICAhHH+BfUkiKo+TajPXITjEDsdso9QUbqN1vnkVbaph2bVwFvyzHW+wn/TaQqtusTvV5WAAAAbDBqBgkqhkiG0w0BBwagXTBbAgEAMFYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYvoDJJkytmCMiy4QAgEQgCmbY3xKGkop2EIymI8tFzYSvcDknQEy3DOkX7RXFFBbaFbDJcfxkMbeXw=="
      }
  }

Usage

Command Line Tools

Encrypt a plaintext string, probably to set in a Chalice environment variable.

$ kms-encrypt alias/some-kms-key 'A plaintext string'
AQICAHib94n55VYAGsQDxXZKuQdy85AW0GGbuyMmdm15thBVJwEj1ZLHx8LaUi3w0ETzRCTrAAAAcDBuBgkqhkiG9w0BBwagYTBfAgEAMFoGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMgQ3Jqbiab/UmCgABAgEQgC07be/jfDcxvfgknNfhu+3RaIFcG6Iq3j3BzrXc3Q5vd7PbqbUwhOwEOFh3psM=

Note: You can either use the key itself 89d2b487-a3b0-b3c4-8566-8bd2x33bfe6a or an aliase alias/my-key-alias.

Decrypt that string, to see if it is what you expected.

$ kms-decrypt AQICAHib94n55VYAGsQDxXZKuQdy85AW0GGbuyMmdm15thBVJwEj1ZLHx8LaUi3w0ETzRCTrAAAAcDBuBgkqhkiG9w0BBwagYTBfAgEAMFoGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMgQ3Jqbiab/UmCgABAgEQgC07be/jfDcxvfgknNfhu+3RaIFcG6Iq3j3BzrXc3Q5vd7PbqbUwhOwEOFh3psM=
A plaintext string

Code

#!/usr/bin/env python

from chalice_helpers import env, env_secret

def __db_writer(self):
    return self.__get_conn(host=env('DB_HOST_WRITER', 'localhost'),
                            user=env('DB_USERNAME', 'root'),
                            passwd=env('DB_PASSWORD_SECRET', '*****'),
                            db=env('DB_DATABASE', 'dev'))

def __db_reader(self):
    return self.__get_conn(host=env('DB_HOST_READER', 'localhost'),
                            user=env('DB_USERNAME', 'root'),
                            passwd=env_secret('DB_PASSWORD_SECRET', '*****'),
                            db=env('DB_DATABASE', 'dev'))

By convention, any environment variable that ends with _SECRET will have the value decrypted before returned. However, if you prefer to not follow that convention you can call chalice_helpers.env_secret('DB_PASSWORD', '*****')

You will also find the chalice_helpers.encrypt(key_id, plaintext) and chalice_helpers.decrypt(encoded) functions available if you need to use them in your function.