UNPKG

@hsz/kms

Version:

AWS KMS encrypt/decrypt nodejs executable for .env files

github.com/hsz/kms

hsz/kms

108 lines (97 loc) 3.06 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/usr/bin/env node const AWS = require('aws-sdk'); const fs = require('fs'); const program = require('commander'); const manifest = require('./package'); const { AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_KMS_KEY_ID, AWS_REGION, AWS_PROFILE } = process.env; const SECRET = 'secret:'; const Client = cmd => { const profile = cmd.profile || AWS_PROFILE; const accessKeyId = cmd.accessKeyId || AWS_ACCESS_KEY_ID; const secretAccessKey = cmd.secretAccessKey || AWS_SECRET_ACCESS_KEY; const region = cmd.region || AWS_REGION; const KeyId = cmd.keyId || AWS_KMS_KEY_ID; const credentials = new AWS.SharedIniFileCredentials({ profile }); const client = new AWS.KMS( accessKeyId && secretAccessKey ? { accessKeyId, secretAccessKey, region } : { credentials, region } ); return { decrypt: input => client .decrypt({ CiphertextBlob: Buffer.from(input, 'base64') }) .promise() .then(({ Plaintext }) => Plaintext.toString()), encrypt: Plaintext => client .encrypt({ KeyId, Plaintext }) .promise() .then(({ CiphertextBlob }) => CiphertextBlob.toString('base64')) }; }; program .version(manifest.version) .option('-r --region <region>', 'AWS Region - i.e. eu-west-1') .option('-p --profile <profile>', 'AWS profile name, ') .option('-k --keyId <keyId>', 'AWS KMS Key Id') .option('-i --accessKeyId <accessKeyId>', 'AWS Access Key Id') .option('-s --secretAccessKey <secretAccessKey>', 'AWS Secret Access Key'); program.command('decrypt <file>').action((file, cmd) => new Promise((resolve, reject) => fs.readFile(file, 'utf-8', (err, data) => (err ? reject(err) : resolve(data))) ) .then(response => response .trim() .split('\n') .map(line => line.split('=')) .map(([key, ...valueParts]) => { const value = valueParts.join('='); return value.startsWith(SECRET) ? Client(cmd.parent) .decrypt(value.substr(SECRET.length)) .then(decrypted => [key, decrypted]) : [key, value]; }) ) .then(response => Promise.all(response)) .then(pairs => pairs.map(pair => pair.join('=')).join('\n')) .then(console.log) ); program .command('add <file> <content>') .description('Adds new line to the file encrypting the value') .action((file, content, cmd) => { const [key, ...valueParts] = content.split('='); const value = valueParts.join('='); return Client(cmd.parent) .encrypt(value) .then( encrypted => new Promise((resolve, reject) => fs.appendFile(file, `\n${key}=${SECRET}${encrypted}`, (err, data) => err ? reject(err) : resolve(data) ) ) ); }); program .command('encrypt <value>') .description('Encrypts provided value') .action((value, cmd) => Client(cmd.parent) .encrypt(value) .then(console.log) ); program.parse(process.argv);