Ubiquitous Encryption: Using AWS KMS to Share Credentials

Draft!

Ubiquitous Encryption

Using AWS KMS

Use case: Storing shared credentials (e.g., database username/passwords)
Credstash: using KMS and DynamoDB to manage credentials

Systems often need access to shared credentials. Your service may need access to some password or API key. Some services in AWS can use IAM-roles/policies to give access to these resources without having knowledge of these resources. This section handles a way of securing credentials for services that do not have this option.

CredStash is a simple, credential management distribution system build on top of:

  • AWS Key Management System (KMS)
  • DynamoDB
https://github.com/fugue/credstash

You will need to setup a (master) key in KMS and a DynamoDB table to store the encrypted contents and wrapped data keys.

$ aws kms create-key --policy file://path/to/policy

Note: The default policy will create a "for your user or role only"-policy

And don't forget to create some table of course. When done, simply run:

$ credstash put [credential-name] [credential-value]

To store a value. To retrieve a value:

$ credstash get [credential-name]

You can now incorporate this in your application/bootstrapping processes

$ export DBPASSWORD=$(credstash get my.secret.credential.for.my.db)
Author: Angelique Dawnbringer Published: 2016-05-29 14:06:26 Keywords:
  • Ubiquitous Encryption
  • AWS KMS
  • DynamoDB
  • CredStash
Modified: 2017-09-10 17:51:30