skm-lit
v4.0.0
Published
skm-lit is a library for retrieving secrets stored in Cloud Storage
Downloads
116
Readme
skm-lit
skm-lit (secret key manager) is a library for retrieving secrets stored in a Cloud Storage bucket.
Watch out: This library is Node.js only!
Installation
npm install skm-lit
Usage
Require skm-lit as early as possible:
require(`skm-lit`);
Next, define an environment variable that references your secret stored in a Google Storage bucket using skm-lit's special URL syntax. Consult the reference syntax section for details.
# inside .env
MY_SECRET:skm-lit://mybucket/my-secret
After that you can access your secret through the corresponding environment
variable. In this case MY_SECRET
.
Setup a Cloud Storage bucket
This section describes the steps required to create a Cloud Storage bucket manually and setting up the correct permissions.
This is not required on order to use skm-lit. If you already have a Cloud Storage bucket provisioned, you can skip this section.
Install the Google Cloud SDK. If you are running from your local machine, you also need to set Default Application Credentials:
gcloud auth application-default login
This will open a web browser and prompt for a login to your Google account. After a successful login, the gcloud SDK has set your user account as the Default Application Credentials for your machine.
To revoke the credentials, run
gcloud auth application-default revoke
.Export your project ID as an environment variable. The rest of this setup guide assumes this environment variable is set:
export PROJECT_ID=my-gcp-project-id
Please note, this is the project ID, not the project name or project number. You can find the project ID by running
gcloud projects list
or in the web UI.Enable required services on the project:
gcloud services enable --project ${PROJECT_ID} \ storage-api.googleapis.com \ storage-component.googleapis.com
Create a [Cloud Storage][cloud-storage] bucket for storing secrets:
export BUCKET_ID=my-secrets
Replace
my-secrets
with the name of your bucket. Bucket names must be globally unique across all of Google Cloud. You can also create a bucket using the Google Cloud Console from the web.gsutil mb -c standard -l europe-west3 -p ${PROJECT_ID} \ gs://${BUCKET_ID}
It is strongly recommended that you create a new bucket instead of using an existing one. skm-lit should be the only entity managing IAM permissions on the bucket.
Set the default ACL permissions on the bucket to private:
gsutil defacl set private gs://${BUCKET_ID}
gsutil acl set private gs://${BUCKET_ID}
The default permissions grant anyone with Owner/Editor access on the project access to the bucket and its objects. These commands restrict access to the bucket to project owners and access to bucket objects to only their owner. Everyone else must be granted explicit access via IAM to an object inside the bucket.
Reference Syntax
This section describes the syntax for referencing a secret entity. These references will live in environment variables and skm-lit will parse them on library startup.
Syntax
skm-lit://[BUCKET]/[SECRET]?[OPTIONS]
BUCKET
- name of the Cloud Storage bucket where the secret is storedSECRET
- name of the secret in the Cloud Storage bucketOPTIONS
- options specified as URL query parameters
Options
destination
- when specified as a URL query parameter, this controls how the secret is resolved:tempfile
- resolve the secret and write the contents to a tempfile, replacing the environment variable with the path to the tempfile[PATH]
- resolve the secret and write the contents to the specified file path
Examples
Read a secret:
skm-lit://my-bucket/my-secret
Read a secret into a tempfile:
skm-lit://my-bucket/path/to/my-secret?destination=tempfile
Read a secret into [project-root]/path/to/file
relative to the project root:
skm-lit://my-bucket/path/to/my-secret?destination=path/to/file
Read a secret into /path/to/file
absolute to the filesystem:
skm-lit://my-bucket/path/to/my-secret?destination=/path/to/file