@phhu/aws-secrets-to-env
Version:
Node.js CLI script which writes .env files or export commands to stdout based on values held in AWS Parameter Store and/or AWS Secrets Manager
83 lines (66 loc) • 3.57 kB
Markdown
This node.js script writes .env files or export commands to stdout based on values held in Amazon Web Services (AWS) [Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) and/or AWS [Secrets Manager](https://aws.amazon.com/secrets-manager/). Node applications can then be run using environment variables set by it, perhaps using package ["dotenv"](https://www.npmjs.com/package/dotenv) to retrieve from the .env file.
* Specify `--ssmpath` and/or `--secretid` to retrieve from AWS Parameter Store and/or AWS Secrets Manager respectively.
* For the Parameter Store, parameters are returned by path (e.g. parameters with names starting with an arbitrary path such as "/myapp/prodconfig")
* For authentication, you can specify `--accessKeyId=[awsAccessKeyId]` and `--secretAccessKey=[awsSecretAccessKey]`; or use an [AWS profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) with `--profile=someprofile`; otherwise default AWS auth is used.
## SAMPLE USAGE:
```sh
npm install -g "@phhu/aws-secrets-to-env"
```
```sh
# with global npm install, writing to .env file
aws-secrets-to-env \
--ssmpath=/myapp/prodconfig \
--secretid=/myapp/prodconfig \
--region=eu-central-1 \
>.env && node myapp.js
# with global npm install, setting env. vars using export command
eval $(aws-secrets-to-env \
--secretid=/myapp/prodconfig \
--region=$AWS_DEFAULT_REGION \
--accessKeyId=someAwsAccessKeyId \
--secretAccessKey=$SOME_AWS_ACCESS_KEY_ENV_VAR \
--useexport \
) && node myapp.js
# using local npm install, writing to .env file
node ./node_modules/@phhu/aws-secrets-to-env/aws-secrets-to-env.js \
--secretid=/myapp/prodconfig \
--region=eu-central-1 \
--profile=someAwsProfile \
>.env && node myapp.js
# using npx, writing to .env file
npx "@phhu/aws-secrets-to-env" \
--ssmpath=/myapp/prodconfig \
--region=eu-central-1 \
--profile=someAwsProfile \
>.env && node myapp.js
```
## SAMPLE OUTPUT
As written to `.env` in the first example above:
```sh
VAL1fromParamStore="Value of /myapp/prodconfig/VAL1fromParamStore"
VAL2fromParamStore="encrypted value from parameter store"
VAL1_FromSecretManager="this is stored in /myapp/prodconfig"
VAL2_FromSecretManager="this is also stored in /myapp/prodconfig"
someNumber=1
someArray="[1,2,3]"
```
With `--useexport`, as in second example, using `eval` above:
```sh
export VAL_FromSecretManager="this is stored in /myapp/prodconfig"
export someFloat=1.23
export someObj="{\"thing\":1,\"thing2\":2}"
```
## SCRIPT OPTIONS
* --ssmpath : AWS Param Store Path to retrieve
* --secretid : AWS Secrets Manager secret ID to retrieve. (This should return JSON key/value pairs)
* --debug : write debugging info to stderr
* --help : display this message
* --useexport : include an "export" command at the start of each line
* --profile : aws profile to use (from ~/.aws; e.g --profile=default). Alternatively you can set env variable AWS_PROFILE (e.g. `export AWS_PROFILE=test && node aws-secrets-to-env.js`)
## AWS OPTIONS
All other options will be passed through to the AWS request. Useful options include:
* --region : AWS region. Needs to be specified. e.g. `--region=$AWS_DEFAULT_REGION`, `--region=us-east-1`
* --endpoint : specify an endpoint url (e.g. `--endpoint="http://localstack:4566"`)
* --accessKeyId
* --secretAccessKey
(see "options hash" under https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SSM.html and https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SecretsManager.html for more details).