CredStash for PHP
This is a PHP port of original CredStash (written in python). Encryption and DynamoDB storage are compatible with python version so both can work side by side. There is an optional CLI tool as well, details below.
More information about what CredStash is, how it works, and how to set it up can be read in their README.
$ composer require gmo/credstash
Create CredStash instance
The easiest way to create CredStash is with the AWS SDK object:
<?php use CredStash\CredStash; $sdk = new Aws\Sdk(); // config omitted $credStash = CredStash::createFromSdk($sdk);
Getting individual secrets:
// Get secret for "foo" credential $secret = $credStash->get('foo'); // Including context parameters $secret = $credStash->get('foo', ['env' => 'prod']); // By default, the latest version is used, // but a specific version can be passed in. $secret = $credStash->get('foo', , 2);
Getting multiple secrets:
// Get latest version of all secrets $secrets = $credStash->getAll(); // ['foo' => 'secret', 'bar' => 'another secret']; // Including context parameters $secrets = $credStash->getAll(['env' => 'prod']); // Get specific version for all secrets $secrets = $credStash->getAll(, 2); // Get all secrets matching pattern $secrets = $credStash->search('ssl.*'); // matches "ssl.foo" and "ssl.bar" // This version also allows "?" and "" patterns. $secrets = $credStash->search('s?l'); // matches "ssl" and "sdl" $secrets = $credStash->search('gr[ae]y'); // matches "gray" and "grey" // Context and version can specified here as well $secrets = $credStash->search($pattern, $context, $version);
// Put secret into store at the next highest version $credStash->put('foo', 'secret'); // Including context parameters $credStash->put('foo', 'secret', ['env' => 'prod']); // Put secret into store at a specified version $credStash->put('foo', 'secret', , 2);
Listing credentials and their latest versions:
$credentials = $credStash->listCredentials(); // ['foo' => '000000000000000002', 'bar' => '000000000000000003']; // As you can see versions are padded to ensure sorting is consistent // They can be optionally converted to integers though // with the by passing false to the $pad parameter. $credentials = $credStash->listCredentials(false); // ['foo' => 2, 'bar' => 3];
Note: CLI tool requires Symfony's Console Component to be installed manually, because this is an optional dependency.
$ composer require symfony/console
The CLI tool is compatible with the python version with a couple differences due to compatibility with Symfony's Console Application's standard commands/parameters.
The python version has
--version to specify the version to
Here it is
--cred-version, because Symfony uses this for the version of the console tool.
The python version's
list command is renamed to
Symfony has a list command that lists the commands available.
Other than these two differences they are exactly the same.
More info can be found in their README or by running this tool without any arguments.
Info for each command can be viewed with standard
help command or