AWS S3 object as a secret source #112
Comments
|
Hi there, thanks for suggesting this improvement ! That's definitely possible, and should be relatively straightforward since most AWS boilerplate code is already present. We're talking about something like this, right? environments:
dev:
variables:
- name: S3_OBJECT_AS_VAR
value:
aws_s3_object:
bucket: my-bucket
key: path/to/cert.pem
# ... other S3 get object param
files:
- variable: S3_OBJECT_AS_FILE
content:
aws_s3_object:
bucket: my-bucket
key: path/to/cert.pem
# ... other S3 get object param
I suppose your object may be encrypted as well considering the use case ? |
|
Yup, exactly right. Encryption is a nice to have and I would consider to store more sensitive data in S3 if this feature if available, but for my initial use case it's not necessary. I'm storing signed certificates only, so in a sense it's not secret data. For the private keys which are sensitive data, I'm using something like this which allows me to use KMS keys locally in the same way you would normally use key files this way it's much more secure from comprimise as it's impossible to copy the keys. |
|
Great, let's start with something like this then, I'll keep you posted |
|
Incoming ! #114 |
I'd like to use novops to load PEM certificates as well as other more secret things (stored in secrets store). The PEM certificates are stored in S3 rather than parameter store as it's easier to manage them this way.
Would it be possible to add an S3 plugin which can pull a file from S3 and load it as a file on disk or contents as an environment variable? This would be a really fantastic feature addon!
The text was updated successfully, but these errors were encountered: