Skip to content
Secrets Management on AWS with S3 and KMS using Golang
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Secrets Management on AWS with S3 and KMS using Golang


Learning golang at the moment and wanted a easy and cheap way to store encrypted application secrets on S3.

What does it do

The cli tool allows you to:

  • encrypt a string to a S3 path styled key eg. secrets/production/
  • gets encrypted with your KMS key
  • stores the data on S3 with Server Side Encryption (SSE).
  • when the key is downloaded from S3 directly, the data will be in a encrypted form making it unusable.
  • when using the tool's get method, it will decrypt using the kms key and return the secret to stdout.
  • authentication: iam roles/users

As it can be run from a binary, it makes it easy to read application secrets.


Build a binary:

$ go build -o secretstore main.go

Store your database username as a secret to secrets/production/

$ ./secretstore -put -secretName=secrets/production/ -secretValue=rds_admin

Read the database username from the secret:

$ ./secretstore -get -secretName=secrets/production/

Read the S3 key directly using the cli:

$ aws --profile test s3 cp s3://<your_s3_bucket>/secrets/production/ ./username
$ cat ./username
You can’t perform that action at this time.