1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#!/bin/sh
# Copyright 2022 Mitchell Riedstra
#
# Permission to use, copy, modify, and/or distribute this software for any purpose
# with or without fee is hereby granted, provided that the above copyright notice
# and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
# FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
# THIS SOFTWARE.
#
# This DPW storage plugin is backed to the AWS parameter store / SSM.
# This uses SecureString by default. You can optionally set an environment
# variable to specify a particular KMS key.
#
# The environment variable DPW_SSM_PREFIX can be used to prefix all keys
# with a specific identifier
#
# You can configure this client to use a non default KMS key with the
# environment variable DPW_KMS_KEY=<key-id>
#
# Configuration of the AWS calls should be done through environment variables
# Most notable are:
#
# AWS_PROFILE
# AWS_DEFAULT_REGION
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
#
# Full docs:
# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
set -e
# set -x
UMASK="${PASSWORD_STORE_UMASK:-077}"
umask "$UMASK"
# Interface
show() {
pth="$1"; shift
#shellcheck disable=SC2086
aws ssm get-parameter --with-decryption --name "${DPW_SSM_PREFIX}$pth" \
| jq -r '.Parameter | .Value' \
| base64 -d
}
insert() {
pth="$1"; shift
tmpdir=/dev/shm
if ! [ -d "$tmpdir" ] ; then
printf "Your system does not have /dev/shm, continue? [Yy] "
read -r resp
ok=0
case $resp in
Y*|y*) ok=1
esac
echo ""
[ $ok -eq 0 ] && return
tmpdir=/tmp
fi
_f="$(mktemp "${tmpdir}/dpw.XXXXXXXXXX")"
base64 > "$_f"
if [ -n "$DPW_KMS_KEY" ] ; then
aws ssm put-parameter \
--key-id "$DPW_KMS_KEY" \
--type SecureString \
--name "${DPW_SSM_PREFIX}$pth" \
--value "$(cat "$_f")"
else
aws ssm put-parameter \
--type SecureString \
--name "${DPW_SSM_PREFIX}$pth" \
--value "$(cat "$_f")"
fi
rm "$_f"
}
list() {
if [ -z "$DPW_SSM_PREFIX" ] ; then
aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name'
else
aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name' \
| sed -n -e"s/^$DPW_SSM_PREFIX//gp"
fi
}
remove() {
pth="$1"; shift
aws ssm delete-parameter --name "${DPW_SSM_PREFIX}$pth"
}
_init() {
echo "No initialization needed"
}
act="$1"; shift
case $act in
show) show "$@" ;;
list) list "$@" ;;
insert) insert "$@" ;;
rm) remove "$@" ;;
init) _init "$@" ;;
*) echo "Bad command $act"; exit 1; ;;
esac
|
