Using AWS and segment.io/chamber CLI for managing secrets for your projects

Ruslan Gainutdinov
Jan 24 · 2 min read

Introduction

There is a lot of ways of storing per project secrets, such as paswords, tokens, private api urls, etc.

One can use local not to be commited files,. bashrc env vars, other hosted services such as Hashicorp vault, etc.

But if you want to share a your code with others including secrets you need some universal solution anyone can use.

Pricing (2019–01–24)

  1. KMS key — $1/month + $0.03 per 10,000 requests
  2. SSM Parameter store — free

Install chamber

# Download chamber and build it locally
> go get github.com/segmentio/chamber
# Put alias to chamber executable into bashrc
> echo "alias chamber=$GOPATH/bin/chamber" | tee -a ~/.bashrc && source ~/.bashrc
> chamber version
chamber dev

KMS key

Create KMS key called parameter_store_key or make alias named parameter_store_key to your existing KMS key.

Pro-tip: Using right IAM access token and creating all parameter values by UI you can skip on creating KMS key (thus not paying $1 month). Enter all secure values using alias/aws/ssm key.

SSM Parameter store

Format for name of variables is /<service-name>/ENV_NAME

When you run chamber you specify a service name:

> chamber exec azure/test1 — sh -c set | grep SQL
SQL_HELLO='....'
SQL_USER='....'
SQL_X='.....'

variables are taken from AWS Systems Manager -> Parameter store

You can write new key/value pairs using Web UI or using chamber CLI

> chamber write azure/test1 NAME VALUE

Pass chamber when running a command

Embed chamber into any command by prefixing it with chamber exec

> chamber exec <service-name> -- my-awesome-build-or-deploy-command

All variables will be available un environment as $SQL_HELLO variables.

For example, if you want to define serverless.com deploy command, you can do it this way:

# package.json:
"scripts": {
"deploy": "chamber exec azure/test1 -- npx serverless deploy"
}

Production

When running for production, use AWS_PROFILE, AWS_REGION or aws-vault command to use different AWS account/role to access AWS SSM Parameter store.

Example usage

My Azure FaaS test project uses chamber to conveniently store and access SQL database credentials

Ruslan Gainutdinov

Written by

Tech Lead & Software engineer with a passion for #DevRel, Serverless, Java, and Javascript. https://ruslan.org

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade