Share passwords and secrets securely using S3
A command-line tool for creating and accessing passwords and other secrets securely. It uses S3 for storage and IAM permissions for access control. Perfect for sharing passwords within your team.
Secrets are stored as plain text files in S3 and automatically encrypted at rest using server-side encryption.
npm install --global @robinmurphy/secrets
Make sure you've exported your AWS credentials:
export AWS_ACCESS_KEY=...
export AWS_SECRET_ACCESS_KEY=...
Follow the bucket setup guide to create your S3 bucket.
Store a secret:
secrets set npm_password supersecret
List secrets:
secrets
# => npm_password
Get a secret:
secrets npm_password
# => supersecret
Remove a secret:
secrets rm npm_password
Use the AWS Console to create a new bucket, or use the following CloudFormation template:
{
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket"
}
}
}
Export the name of the bucket you created:
export SECRETS_BUCKET_NAME=my-secrets-bucket
You control access to your secrets using IAM permissions. The easiest way to do this is to create an IAM policy that has read/write access to your bucket and attach it to users, groups or roles that need access. Here's an example policy document that grants read/write access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-secrets-bucket"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::my-secrets-bucket/*"]
}
]
}
You can create separate read/write policies if you don't want everyone to be able to modify your secrets.