def update_secret(session, secret, kms_arn):
secretsmanager = session.client('secretsmanager')
secretsmanager.update_secret(
SecretId=secret['name'],
Description=secret['description'] if 'description' in secret else '',
KmsKeyId=secret['kms'] if 'kms' in secret else '',
SecretString=kms.decrypt(
session, secret['value'], kms_arn).decode('utf-8')
)
def parse_yaml_parameter_value(session, param_data, kms_arn):
yaml_param_value = str(param_data['value'])
decrypt_on_deploy = param_data[
'decryptOnDeploy'] if 'decryptOnDeploy' in param_data else True
if param_data['type'] == 'SecureString' and decrypt_on_deploy:
yaml_param_value = kms.decrypt(session, yaml_param_value,
kms_arn).decode('utf-8')
return yaml_param_value
def decrypt(env_file, output, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as source:
data = yaml.safe_load(source.read())
kms_arn = str(data['kms']['arn'])
if 'secrets' not in data:
data['secrets'] = []
if 'parameters' not in data:
data['parameters'] = []
_session = session.session()
for secret in data['secrets']:
secret['value'] = kms.decrypt(_session, secret['value'],
kms_arn).decode('utf-8')
try:
secret['value'] = json.loads(secret['value'])
except ValueError:
pass
for parameter in data['parameters']:
if parameter['type'] == 'SecureString' and type(
parameter['value']) is str:
decrypted_value = kms.decrypt(_session, parameter['value'],
kms_arn).decode('utf-8')
if '\n' in decrypted_value:
parameter['value'] = Literal(decrypted_value)
else:
parameter['value'] = decrypted_value
output_file = output if output else f"{env_file}.dec"
with open(output_file, 'w') as outfile:
yaml.safe_dump(data, outfile)
def view_secret(env_file, name, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as env:
yaml_data = yaml.safe_load(env.read())
secret = next(
(param for param in yaml_data['secrets'] if param['name'] == name),
None)
if secret is None:
raise Exception(f'secret {name} not found')
kms_arn = str(yaml_data['kms']['arn'])
param_value = kms.decrypt(session.session(), str(secret['value']),
kms_arn).decode('utf-8')
print(param_value)
def view_parameter(env_file, name, non_decrypt, profile, region):
session.aws_profile = profile
session.aws_region = region
with open(env_file, 'r') as env:
yaml_data = yaml.safe_load(env.read())
parameter = next(
(param for param in yaml_data['parameters'] if param['name'] == name),
None)
if parameter is None:
raise Exception(f'parameter {name} not found')
if parameter['type'] == 'SecureString' and not non_decrypt:
kms_arn = str(yaml_data['kms']['arn'])
param_value = kms.decrypt(session.session(), str(parameter['value']),
kms_arn).decode('utf-8')
else:
param_value = str(parameter['value'])
print(param_value)
def parse_yaml_secret_value(session, secret_data, kms_arn):
yaml_secret_value = str(secret_data['value'])
yaml_secret_value = kms.decrypt(session, yaml_secret_value,
kms_arn).decode('utf-8')
return yaml_secret_value