def delete_secret(self, key):
"""Deletes a secret."""
if not self.vault_layer:
msg = "No secrets-vault layer in this environment"
self.logger.error(msg)
raise RequiresVaultError(msg)
else:
client = Dynamodb(config.boto_config).client
resp = client.delete_item(TableName=self.__secrets_table_name,
Key={'id': {
'S': key
}})['Item']['value']['B']
return resp
def get_secret(self, key):
"""Retrieves a secret."""
if not self.vault_layer:
msg = "No secrets-vault layer in this environment"
self.logger.error(msg)
raise RequiresVaultError(msg)
else:
client = Dynamodb(config.boto_config).client
encrypted = client.get_item(TableName=self.__secrets_table_name,
Key={'id': {
'S': key
}})['Item']['value']['B']
# Decrypt using KMS (assuming the secret value is a string)
client = boto3.client('kms')
plaintext = client.decrypt(CiphertextBlob=encrypted)['Plaintext']
return plaintext.decode()
def set_secret(self, key, plaintext):
"""Sets and environment secret."""
if not self.vault_layer:
msg = "No secrets-vault layer in this environment"
self.logger.error(msg)
raise RequiresVaultError(msg)
else:
client = Kms(config.boto_config).client
encrypted = client.encrypt(KeyId=self.kms_key_id,
Plaintext=plaintext)['CiphertextBlob']
resp = self.dynamodb.client.put_item(
TableName=self.__secrets_table_name,
Item={
'id': {
'S': key
},
'value': {
'B': encrypted
}
})
return resp
def kms_key_id(self):
"""The ID of the KMS Key associated to the environment vault."""
if not self.vault_layer:
raise RequiresVaultError("Requires a secrets-vault layer")
if self.vault_layer:
return self.outputs[self.vault_layer.name]['KmsKeyId']