Draft!
Ubiquitous Encryption
Using AWS KMS
Use case: Storing shared credentials (e.g., database username/passwords)
Credstash: using KMS and DynamoDB to manage credentials
Systems often need access to shared credentials. Your service may need access to some password or API key. Some services in AWS can use IAM-roles/policies to give access to these resources without having knowledge of these resources. This section handles a way of securing credentials for services that do not have this option.
CredStash is a simple, credential management distribution system build on top of:
- AWS Key Management System (KMS)
- DynamoDB
https://github.com/fugue/credstash
You will need to setup a (master) key in KMS and a DynamoDB table to store the encrypted contents and wrapped data keys.
$ aws kms create-key --policy file://path/to/policy
Note: The default policy will create a "for your user or role only"-policy
And don't forget to create some table of course. When done, simply run:
$ credstash put [credential-name] [credential-value]
To store a value. To retrieve a value:
$ credstash get [credential-name]
You can now incorporate this in your application/bootstrapping processes
$ export DBPASSWORD=$(credstash get my.secret.credential.for.my.db)