Protect Secrets Manager connection details with AWS KMS
Keeper Secrets Manager integrates with AWS KMS in order to provide encryption for Keeper Secrets Manager configuration files. With this integration, you can protect connection details on your machine while taking advantage of Keeper's zero-knowledge encryption of all your secret credentials.
Features
Encrypt and Decrypt your Keeper Secrets Manager configuration files with AWS KMS
Protect against unauthorized access to your Secrets Manager connections
Requires only minor changes to code for immediate protection. Works with all Keeper Secrets Manager SDK functionality
The Secrets Manager AWS Key Management Service Integration can be installed using
go get github.com/keeper-security/secrets-manager-go/integrations/aws
2. Configure AWS Connection
By default the boto3 library will utilize the default connection session setup with the AWS CLI with the aws configure command. If you would like to specify the connection details, the two configuration files located at ~/.aws/config and ~/.aws/credentials can be manually edited.
Alternatively, configuration variables can be provided explicitly as an access key using the AwsSessionConfig data class and providing aws_access_key_id , aws_secret_access_key and aws_session_token variables.
You will need an AWS Access Key to use the AWS KMS integration.
Once AWS connection has been configured, You can fetch the Key to encrypt / decrypt KSM configuration using integration and you need to tell the Secrets Manager SDK to utilize the KMS as storage.
Using Specified Connection credentials
To do this, use AwsKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import com.keepersecurity.secretmanager.aws.kms.AwsKeyValueStorage;
import com.keepersecurity.secretmanager.aws.kms.AwsSessionConfig;
import com.keepersecurity.secretsManager.core.InMemoryStorage;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import static com.keepersecurity.secretsManager.core.SecretsManager.initializeStorage;
import software.amazon.awssdk.regions.Region;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
class Test {
public static void main(String args[]){
String keyId = "<Key ID>";
String awsAccessKeyId = "<AWS Access ID>";
String awsSecretAccessKey = "<AWS Secret>";
String oneTimeToken = "[One Time Token]";
Region region = Region.<cloud-region>;
String profile = null OR "DEFAULT"; //set profile (ex. DEFUALT/UAT/PROD) if ~/.aws/config is set
String configFileLocation = "client_config_test.json";
try{
//set AWS configuration, It can be null if profile is set for aws credentials
AwsSessionConfig sessionConfig = new AwsSessionConfig(awsAccessKeyId, awsSecretAccessKey);
//Get Storage
AwsKeyValueStorage awskvstorage = new AwsKeyValueStorage(keyId, configFileLocation, profile, null, region);
initializeStorage(awskvstorage, oneTimeToken);
SecretsManagerOptions options = new SecretsManagerOptions(awskvstorage);
//getSecrets(OPTIONS);
}catch (Exception e) {
System.out.println(e.getMessage());
}
}
}
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AWS Session credentials - AWSSessionConfig , as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AwsKmsKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
using System;
using System.Linq;
using System.Threading.Tasks;
using SecretsManager;
using AWSKeyManagement;
public class Program
{
private static async Task getOneIndividualSecret()
{
var accessKeyId = "<ACCESS_KEY_ID>";
var secretAccessKey = "<SECRET_ACCESS_KEY>";
var regionName = "<AWS_REGION_STRING";
var keyId = "<KEY_ID_1>";
var path = "<KEEPER_CONFIG_FILE_PATH>";
var dotnet_access_token = "<ONE_TIME_TOKEN>";
var awsSessionConfig = new AWSSessionConfig(accessKeyId, secretAccessKey, regionName);
var aws_storage = new AWSKeyValueStorage(keyId, path, awsSessionConfig);
SecretsManagerClient.InitializeStorage(aws_storage, dotnet_access_token);
var options = new SecretsManagerOptions(aws_storage);
var records_1 = await SecretsManagerClient.GetSecrets(options);
records_1.Records.ToList().ForEach(record => Console.WriteLine(record.RecordUid + " - " + record.Data.title));
}
static async Task Main()
{
await getOneIndividualSecret();
}
}
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
package main
import (
"encoding/json"
"fmt"
"github.com/keeper-security/secrets-manager-go/core"
awskv "github.com/keeper-security/secrets-manager-go/integrations/aws"
)
func main() {
clientID := "<Some Client ID>"
clientSecret := "<Some Client Secret>"
region := "<Cloud Region>"
keyARN := "arn:<partition>:kms:<region>:<account-id>:key/<key-id>"
oneTimeToken := "one time token"
ksmConfigFileName := ""
// Initialize the AWS Key Vault Storage
cfg := awskv.NewAWSKeyValueStorage(ksmConfigFileName, keyARN, &awskv.AWSConfig{
ClientID: clientID,
ClientSecret: clientSecret,
Region: region,
})
clientOptions := &core.ClientOptions{
Token: oneTimeToken,
Config: cfg,
}
fmt.Printf("Client ID in config: %v\n", cfg.Get(core.KEY_CLIENT_ID))
secrets_manager := core.NewSecretsManager(clientOptions)
// Fetch secrets from Keeper Security Vault
record_uids := []string{}
records, err := secrets_manager.GetSecrets(record_uids)
if err != nil {
// do something
fmt.Printf("Error while fetching secrets: %v", err)
}
for _, record := range records {
// do something with record
fmt.Println(record.Title())
}
}
Using Default Connection
To do this, use AwsKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import com.keepersecurity.secretmanager.aws.kms.AwsKeyValueStorage;
import com.keepersecurity.secretmanager.aws.kms.AwsSessionConfig;
import com.keepersecurity.secretsManager.core.InMemoryStorage;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import static com.keepersecurity.secretsManager.core.SecretsManager.initializeStorage;
import software.amazon.awssdk.regions.Region;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
class Test {
public static void main(String args[]){
String keyId = "<Key ID>";
String awsAccessKeyId = "<AWS Access ID>";
String awsSecretAccessKey = "<AWS Secret>";
String oneTimeToken = "[One Time Token]";
Region region = Region.<cloud-region>;
String profile = null OR "DEFAULT"; //set profile (ex. DEFUALT/UAT/PROD) if ~/.aws/config is set
String configFileLocation = "client_config_test.json";
try{
//set AWS configuration, It can be null if profile is set for aws credentials
AwsSessionConfig sessionConfig = new AwsSessionConfig(awsAccessKeyId, awsSecretAccessKey);
//Get Storage
AwsKeyValueStorage awskvstorage = new AwsKeyValueStorage(keyId, configFileLocation, profile, sessionConfig, region);
initializeStorage(awskvstorage, oneTimeToken);
SecretsManagerOptions options = new SecretsManagerOptions(awskvstorage);
//getSecrets(OPTIONS);
}catch (Exception e) {
System.out.println(e.getMessage());
}
}
}
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID , as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
using System;
using System.Linq;
using System.Threading.Tasks;
using SecretsManager;
using AWSKeyManagement;
public class Program
{
private static async Task getOneIndividualSecret()
{
var keyId = "<KEY_ID_1>";
var path = "<KEEPER_CONFIG_FILE_PATH>";
var dotnet_access_token = "<ONE_TIME_TOKEN>";
var aws_storage = new AWSKeyValueStorage(keyId, path);
SecretsManagerClient.InitializeStorage(aws_storage, dotnet_access_token);
var options = new SecretsManagerOptions(aws_storage);
var records_1 = await SecretsManagerClient.GetSecrets(options);
records_1.Records.ToList().ForEach(record => Console.WriteLine(record.RecordUid + " - " + record.Data.title));
}
static async Task Main()
{
await getOneIndividualSecret();
}
}
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
package main
import (
"fmt"
"github.com/keeper-security/secrets-manager-go/core"
awskv "github.com/keeper-security/secrets-manager-go/integrations/aws"
)
func main() {
keyARN := "arn:<partition>:kms:<region>:<account-id>:key/<key-id>"
oneTimeToken := "one time token"
ksmConfigFileName := "<config file name>"
// Initialize the AWS Key Vault Storage
cfg := awskv.NewAWSKeyValueStorage(ksmConfigFileName, keyARN, nil)
clientOptions := &core.ClientOptions{
Token: oneTimeToken,
Config: cfg,
}
fmt.Printf("Client ID in config: %v\n", cfg.Get(core.KEY_CLIENT_ID))
secrets_manager := core.NewSecretsManager(clientOptions)
// Fetch secrets from Keeper Security Vault
record_uids := []string{}
records, err := secrets_manager.GetSecrets(record_uids)
if err != nil {
// do something
fmt.Printf("Error while fetching secrets: %v", err)
}
for _, record := range records {
// do something with record
fmt.Println(record.Title())
}
}
Using the AWS KMS Integration
Once setup, the Secrets Manager AWS KMS integration supports all Secrets Manager SDK functionality. Your code will need to be able to access the AWS KMS APIs in order to manage the decryption of the configuration file when run.
Additional Options
Change Key
We can change key that is used for encrypting the configuration, examples below show the code needed to use it
const storage = await new AWSKeyValueStorage(keyId,config_path).init()
await initializeStorage(storage, oneTimeToken);
// do all process needed if any or change directly
await storage.changeKey(keyId2);
using Microsoft.Extensions.Logging;
var awsSessionConfig2 = new AWSSessionConfig();
var loggerFactory = LoggerFactory.Create(builder =>
{
builder.SetMinimumLevel(LogLevel.Debug);
builder.AddConsole();
});
var logger = loggerFactory.CreateLogger<AWSKeyValueStorage>();
var aws_storage = new AWSKeyValueStorage(keyId, path, awsSessionConfig2,logger);
updatedKeyARN := "arn:<partition>:kms:<region>:<account-id>:key/<key-id>"
isChanged, err := cfg.ChangeKey(updatedKeyARN, nil)
if err != nil {
fmt.Printf("Error while changing key: %v", err)
}
Decrypt Config
We can decrypt the config if current implementation is to be migrated onto a different cloud or if you want your raw credentials back. The function accepts a boolean which when set to true will save the decrypted configuration to file and if left false, will just return decrypted configuration.
AwsKeyValueStorage awskvstorage = new AwsKeyValueStorage(keyId, configFileLocation, profile, sessionConfig, region);
awskvstorage.decryptConfig(true) // Set true as a parameter to extract plaintext and save config as a plaintext.
//OR
awskvstorage.decryptConfig(false); // Set false as a parameter to extract only plaintext.
const storage = await new AWSKeyValueStorage(keyId,config_path).init();
await storage.decryptConfig();