diff options
Diffstat (limited to 'dpw-ssm')
| -rwxr-xr-x | dpw-ssm | 112 |
1 files changed, 112 insertions, 0 deletions
@@ -0,0 +1,112 @@ +#!/bin/sh +# Copyright 2022 Mitchell Riedstra +# +# Permission to use, copy, modify, and/or distribute this software for any purpose +# with or without fee is hereby granted, provided that the above copyright notice +# and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND +# FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER +# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF +# THIS SOFTWARE. +# +# This DPW storage plugin is backed to the AWS parameter store / SSM. +# This uses SecureString by default. You can optionally set an environment +# variable to specify a particular KMS key. +# +# The environment variable DPW_SSM_PREFIX can be used to prefix all keys +# with a specific identifier +# +# You can configure this client to use a non default KMS key with the +# environment variable DPW_KMS_KEY=<key-id> +# +# Configuration of the AWS calls should be done through environment variables +# Most notable are: +# +# AWS_PROFILE +# AWS_DEFAULT_REGION +# AWS_ACCESS_KEY_ID +# AWS_SECRET_ACCESS_KEY +# +# Full docs: +# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html +set -e +# set -x + +UMASK="${PASSWORD_STORE_UMASK:-077}" +umask "$UMASK" + +# Interface + +show() { +pth="$1"; shift +#shellcheck disable=SC2086 +aws ssm get-parameter --with-decryption --name "${DPW_SSM_PREFIX}$pth" \ + | jq -r '.Parameter | .Value' \ + | base64 -d +} + + +insert() { +pth="$1"; shift + +tmpdir=/dev/shm +if ! [ -d "$tmpdir" ] ; then + printf "Your system does not have /dev/shm, continue? [Yy] " + read -r resp + ok=0 + case $resp in + Y*|y*) ok=1 + esac + echo "" + [ $ok -eq 0 ] && return + tmpdir=/tmp +fi +_f="$(mktemp "${tmpdir}/dpw.XXXXXXXXXX")" +base64 > "$_f" +if [ -n "$DPW_KMS_KEY" ] ; then + aws ssm put-parameter \ + --key-id "$DPW_KMS_KEY" \ + --type SecureString \ + --name "${DPW_SSM_PREFIX}$pth" \ + --value "$(cat "$_f")" +else + aws ssm put-parameter \ + --type SecureString \ + --name "${DPW_SSM_PREFIX}$pth" \ + --value "$(cat "$_f")" +fi +rm "$_f" +} + +list() { +if [ -z "$DPW_SSM_PREFIX" ] ; then + aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name' +else + aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name' \ + | sed -n -e"s/^$DPW_SSM_PREFIX//gp" +fi +} + +remove() { +pth="$1"; shift +aws ssm delete-parameter --name "${DPW_SSM_PREFIX}$pth" +} + +_init() { +echo "No initialization needed" +} + +act="$1"; shift +case $act in + show) show "$@" ;; + list) list "$@" ;; + insert) insert "$@" ;; + rm) remove "$@" ;; + init) _init "$@" ;; + *) echo "Bad command $act"; exit 1; ;; +esac + |