Skip to content
/ stealth Public

Go wrapper for credstash secret store

License

Apache-2.0 license
7 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Clever/stealth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

189 Commits
.circleci
.circleci
 
 
.github
.github
 
 
scripts
scripts
 
 
store
store
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
VERSION
VERSION
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
golang.mk
golang.mk
 
 
main.go
main.go
 
 

Repository files navigation

stealth

Stealth is a go interface to write/read from secret stores.

The current storage implementation uses AWS System Manger Parameter Store. Previously, it used our fork of unicreds, which is a go port of credstash, which uses AWS DynamoDB and KMS.

usage

Stealth can be run standalone for certain administrative tasks. First you'll need to compile the binary:

    make build

To find all secrets that have the same value as an existing secret (for instance, to revoke a leaked secret):

    ./stealth dupes --environment [production OR development] --service [service-name] --key [key name]

You can replace all these values using this command:

    ./stealth dupes --environment [production OR development] --service [service-name] --key [key name] --update-with [value to replace with]

To delete a secret:

    ./stealth delete --environment [production OR development] --service [service-name] --key [key name]

To write a secret:

    ./stealth write --environment [production OR development] -- service [service-name] --key [key name] --value [key value]

To identify discrepancies in secret values across 4 U.S. regions of AWS.

    ./stealth health --environment=ENVIRONMENT --service=SERVICE

Stealth works with the IdentityEngineer SSO Role/Profile to write to the operations or operations-dev account (depending on the --environment value).

    ./stealth write --assume --environment [production OR development] -- service [service-name] --key [key name] --value [key value]

If you're using the --assume flag and you are encountering permission issues, try the following before running stealth again:

    export AWS_PROFILE=[IdentityEngineer Profile Name]

tests

To run tests, use:

    make test

This creates, updates, and reads secrets from the ci-test environment secret store, using the AWS credentials in your local environment.

setting up backend infrastructure

If you are using Terraform, you can use the module tf-credstash to set up the necessary DynamoDB and KMS key for stealth. For example, to create a dev backend, you can use this terraform code:

provider "aws" {}

module "stealth-dev" {
  source = "github.com/dfuentes/tf-credstash"
  key_alias = "alias/stealth-key-dev"
  table_name = "stealth-dev"
}

license

Apache 2.0

usage at Clever

Stealth is co-owned by #eng-infra and #eng-security. For more info, see http://go/stealth

About

Go wrapper for credstash secret store

Topics

security aws-kms credential-storage key-management

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

7 stars

Watchers

50 watching

Forks

2 forks
Report repository

Releases 6

v0.3.0 Latest
Sep 19, 2024
+ 5 releases

Packages

No packages published

Contributors 23
+ 9 contributors

Languages