Protect Secrets Manager connection details with AWS KMS
Keeper Secrets Manager integrates with AWS KMS in order to provide encryption for Keeper Secrets Manager configuration files. With this integration, you can protect connection details on your machine while taking advantage of Keeper's zero-knowledge encryption of all your secret credentials.
Encrypt and Decrypt your Keeper Secrets Manager configuration files with AWS KMS
Protect against unauthorized access to your Secrets Manager connections
Requires only minor changes to code for immediate protection. Works with all Keeper Secrets Manager SDK functionality
Supports the
Requires and packages
Supports Java 11 and above
Setting up project using Gradle or Maven
Gradle
Maven
The Secrets Manager AWS Key Management Service Integration can be installed using npm
The Secrets Manager HSM modules are located in the Keeper Secrets Manager storage module which can be installed using pip
boto3 is a prerequisite for the AWS KSM integration. Install it to your machine using pip.
The Secrets Manager AWS Key Management Service Integration can be installed using
By default the boto3 library will utilize the default connection session setup with the AWS CLI with the aws configure command. If you would like to specify the connection details, the two configuration files located at ~/.aws/config and ~/.aws/credentials can be manually edited.
Alternatively, configuration variables can be provided explicitly as an access key using the AwsSessionConfig data class and providing aws_access_key_id , aws_secret_access_key and aws_session_token variables.
Once AWS connection has been configured, You can fetch the Key to encrypt / decrypt KSM configuration using integration and you need to tell the Secrets Manager SDK to utilize the KMS as storage. Using Specified Connection credentials
To do this, use AwsKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AWS Session credentials - AWSSessionConfig , as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
Using Default Connection
To do this, use AwsKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID , as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AwsKmsKeyvalueStorage
Once setup, the Secrets Manager AWS KMS integration supports all Secrets Manager SDK functionality. Your code will need to be able to access the AWS KMS APIs in order to manage the decryption of the configuration file when run.
We can change key that is used for encrypting the configuration, examples below show the code needed to use it
We can decrypt the config if current implementation is to be migrated onto a different cloud or if you want your raw credentials back. The function accepts a boolean which when set to true will save the decrypted configuration to file and if left false, will just return decrypted configuration.
You're ready to use the KSM integration 👍
Requires aws-sdk/client-kms package
Supports the Python Secrets Manager SDK
Requires boto3 package
Supports the .Net Secrets Manager SDK
Requires AWSSDK.KeyManagementService
Supports the GoLang Secrets Manager SDK
Requires aws-sdk-v2
The Secrets Manager AWS Key Management Service Integration can be installed using
To do this, use AwsKmsKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, AwsSessionConfig, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
SecretsManagerThe storage will require an AWS Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
To do this, use AWSKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The storage will require an AWS Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by AWS KMS.
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_hsm.storage_aws_kms import AwsKmsKeyValueStorage
aws_session_cfg = AwsSessionConfig(
aws_access_key_id="AK[...]FIF",
aws_secret_access_key="/[...]/g3",
region_name="us-east-2")
config = AwsKmsKeyValueStorage(
key_id='e9[...]567',
config_file_location='client-config.json',
aws_session_config=aws_session_cfg)
secrets_manager = SecretsManager(config=config, verify_ssl_certs=True)
all_records = secrets_manager.get_secrets()using System;
using System.Linq;
using System.Threading.Tasks;
using SecretsManager;
using AWSKeyManagement;
public class Program
{
private static async Task getOneIndividualSecret()
{
var accessKeyId = "<ACCESS_KEY_ID>";
var secretAccessKey = "<SECRET_ACCESS_KEY>";
var regionName = "<AWS_REGION_STRING";
var keyId = "<KEY_ID_1>";
var path = "<KEEPER_CONFIG_FILE_PATH>";
var dotnet_access_token = "<ONE_TIME_TOKEN>";
var awsSessionConfig = new AWSSessionConfig(accessKeyId, secretAccessKey, regionName);
var aws_storage = new AWSKeyValueStorage(keyId, path, awsSessionConfig);
SecretsManagerClient.InitializeStorage(aws_storage, dotnet_access_token);
var options = new SecretsManagerOptions(aws_storage);
var records_1 = await SecretsManagerClient.GetSecrets(options);
records_1.Records.ToList().ForEach(record => Console.WriteLine(record.RecordUid + " - " + record.Data.title));
}
static async Task Main()
{
await getOneIndividualSecret();
}
}package main
import (
"encoding/json"
"fmt"
"github.com/keeper-security/secrets-manager-go/core"
awskv "github.com/keeper-security/secrets-manager-go/integrations/aws"
)
func main() {
clientID := "<Some Client ID>"
clientSecret := "<Some Client Secret>"
region := "<Cloud Region>"
keyARN := "arn:<partition>:kms:<region>:<account-id>:key/<key-id>"
oneTimeToken := "one time token"
ksmConfigFileName := ""
// Initialize the AWS Key Vault Storage
cfg := awskv.NewAWSKeyValueStorage(ksmConfigFileName, keyARN, &awskv.AWSConfig{
ClientID: clientID,
ClientSecret: clientSecret,
Region: region,
})
clientOptions := &core.ClientOptions{
Token: oneTimeToken,
Config: cfg,
}
fmt.Printf("Client ID in config: %v\n", cfg.Get(core.KEY_CLIENT_ID))
secrets_manager := core.NewSecretsManager(clientOptions)
// Fetch secrets from Keeper Security Vault
record_uids := []string{}
records, err := secrets_manager.GetSecrets(record_uids)
if err != nil {
// do something
fmt.Printf("Error while fetching secrets: %v", err)
}
for _, record := range records {
// do something with record
fmt.Println(record.Title())
}
}using System;
using System.Linq;
using System.Threading.Tasks;
using SecretsManager;
using AWSKeyManagement;
public class Program
{
private static async Task getOneIndividualSecret()
{
var keyId = "<KEY_ID_1>";
var path = "<KEEPER_CONFIG_FILE_PATH>";
var dotnet_access_token = "<ONE_TIME_TOKEN>";
var aws_storage = new AWSKeyValueStorage(keyId, path);
SecretsManagerClient.InitializeStorage(aws_storage, dotnet_access_token);
var options = new SecretsManagerOptions(aws_storage);
var records_1 = await SecretsManagerClient.GetSecrets(options);
records_1.Records.ToList().ForEach(record => Console.WriteLine(record.RecordUid + " - " + record.Data.title));
}
static async Task Main()
{
await getOneIndividualSecret();
}
}package main
import (
"fmt"
"github.com/keeper-security/secrets-manager-go/core"
awskv "github.com/keeper-security/secrets-manager-go/integrations/aws"
)
func main() {
keyARN := "arn:<partition>:kms:<region>:<account-id>:key/<key-id>"
oneTimeToken := "one time token"
ksmConfigFileName := "<config file name>"
// Initialize the AWS Key Vault Storage
cfg := awskv.NewAWSKeyValueStorage(ksmConfigFileName, keyARN, nil)
clientOptions := &core.ClientOptions{
Token: oneTimeToken,
Config: cfg,
}
fmt.Printf("Client ID in config: %v\n", cfg.Get(core.KEY_CLIENT_ID))
secrets_manager := core.NewSecretsManager(clientOptions)
// Fetch secrets from Keeper Security Vault
record_uids := []string{}
records, err := secrets_manager.GetSecrets(record_uids)
if err != nil {
// do something
fmt.Printf("Error while fetching secrets: %v", err)
}
for _, record := range records {
// do something with record
fmt.Println(record.Title())
}
}
repositories {
mavenCentral()
}
dependencies {
implementation("com.keepersecurity.secrets-manager:aws:1.0.0")
implementation("com.keepersecurity.secrets-manager:core:17.0.0")
implementation ("software.amazon.awssdk:kms:2.20.28")
implementation ("software.amazon.awssdk:auth:2.20.28")
implementation("com.fasterxml.jackson.core:jackson-databind:2.18.2")
implementation("com.fasterxml.jackson.core:jackson-core:2.18.2")
implementation("com.google.code.gson:gson:2.12.1")
implementation("org.slf4j:slf4j-api:1.7.32"){
exclude("org.slf4j:slf4j-log4j12")
}
implementation("ch.qos.logback:logback-classic:1.2.6")
implementation("ch.qos.logback:logback-core:1.2.6")
implementation("org.bouncycastle:bc-fips:1.0.2.4")
}<!-- KMS-core -->
<dependency>
<groupId>com.keepersecurity.secrets-manager</groupId>
<artifactId>aws</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>com.keepersecurity.secrets-manager</groupId>
<artifactId>core</artifactId>
<version>17.0.0</version>
</dependency>
<!-- aws-kms -->
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>kms</artifactId>
<version>2.20.28</version>
</dependency>
<!-- aws-auth -->
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>auth</artifactId>
<version>2.20.28</version>
</dependency>
<!--gson -->
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.12.1</version>
</dependency>
<!--jackson-core -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.18.2</version>
</dependency>
<!--jackson-databind -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.18.2</version>
</dependency>
<!-- slf4j-api -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.32</version>
<scope>runtime</scope>
</dependency>
<!-- logback-classic -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.6</version>
<scope>compile</scope>
</dependency>
<!-- logback-core -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>1.2.6</version>
<scope>compile</scope>
</dependency>
<!-- bc-fips -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
<version>1.0.2.4</version>
</dependency>
npm install @keeper-security/secrets-manager-awspip3 install keeper-secrets-manager-storagepip install boto3dotnet add package Keeper.SecretsManager.AWSKeyManagementimport org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import com.keepersecurity.secretmanager.aws.kms.AwsKeyValueStorage;
import com.keepersecurity.secretmanager.aws.kms.AwsSessionConfig;
import com.keepersecurity.secretsManager.core.InMemoryStorage;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import static com.keepersecurity.secretsManager.core.SecretsManager.initializeStorage;
import software.amazon.awssdk.regions.Region;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
class Test {
public static void main(String args[]){
String keyId = "<Key ID>";
String awsAccessKeyId = "<AWS Access ID>";
String awsSecretAccessKey = "<AWS Secret>";
String oneTimeToken = "[One Time Token]";
Region region = Region.<cloud-region>;
String profile = null OR "DEFAULT"; //set profile (ex. DEFUALT/UAT/PROD) if ~/.aws/config is set
String configFileLocation = "client_config_test.json";
try{
//set AWS configuration, It can be null if profile is set for aws credentials
AwsSessionConfig sessionConfig = new AwsSessionConfig(awsAccessKeyId, awsSecretAccessKey);
//Get Storage
AwsKeyValueStorage awskvstorage = new AwsKeyValueStorage(keyId, configFileLocation, profile, null, region);
initializeStorage(awskvstorage, oneTimeToken);
SecretsManagerOptions options = new SecretsManagerOptions(awskvstorage);
//getSecrets(OPTIONS);
}catch (Exception e) {
System.out.println(e.getMessage());
}
}
}
import { AWSKeyValueStorage, AWSSessionConfig, LoggerLogLevelOptions } from "@keeper-security/secrets-manager-aws";
import { initializeStorage, getSecrets } from "@keeper-security/secrets-manager-core";
const getKeeperRecordsAWS = async () => {
const accessKeyId = "<YOUR AWS ACCESS KEY>>";
const secretAccessKey = "<YOUR AWS SECRET_ACCESS_KEY>";
const regionName = "<YOUR AWS REGION>";
const logLevel = LoggerLogLevelOptions.Debug;
const configPath = "client-config-path.json";
const awsSessionConfig = new AWSSessionConfig(accessKeyId, secretAccessKey, regionName);
const keyId = 'arn:aws:kms:ap-south-1:<accountName>:key/<keyId>';
const storage = await new AWSKeyValueStorage(keyId, configPath, awsSessionConfig, logLevel).init();
const oneTimeToken = "<one time token>";
await initializeStorage(storage, oneTimeToken);
const { records } = await getSecrets({ storage: storage });
const firstRecord = records[0]
const firstRecordPassword = firstRecord.data.fields.find(x => x.type === 'password')
console.log(firstRecordPassword.value[0])
};
getKeeperRecordsAWS();
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import com.keepersecurity.secretmanager.aws.kms.AwsKeyValueStorage;
import com.keepersecurity.secretmanager.aws.kms.AwsSessionConfig;
import com.keepersecurity.secretsManager.core.InMemoryStorage;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import static com.keepersecurity.secretsManager.core.SecretsManager.initializeStorage;
import software.amazon.awssdk.regions.Region;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
class Test {
public static void main(String args[]){
String keyId = "<Key ID>";
String awsAccessKeyId = "<AWS Access ID>";
String awsSecretAccessKey = "<AWS Secret>";
String oneTimeToken = "[One Time Token]";
Region region = Region.<cloud-region>;
String profile = null OR "DEFAULT"; //set profile (ex. DEFUALT/UAT/PROD) if ~/.aws/config is set
String configFileLocation = "client_config_test.json";
try{
//set AWS configuration, It can be null if profile is set for aws credentials
AwsSessionConfig sessionConfig = new AwsSessionConfig(awsAccessKeyId, awsSecretAccessKey);
//Get Storage
AwsKeyValueStorage awskvstorage = new AwsKeyValueStorage(keyId, configFileLocation, profile, sessionConfig, region);
initializeStorage(awskvstorage, oneTimeToken);
SecretsManagerOptions options = new SecretsManagerOptions(awskvstorage);
//getSecrets(OPTIONS);
}catch (Exception e) {
System.out.println(e.getMessage());
}
}
}
import { AWSKeyValueStorage } from "@keeper-security/secrets-manager-aws";
import { initializeStorage, getSecrets } from "@keeper-security/secrets-manager-core";
const getKeeperRecordsAWS = async () => {
const configPath = "client-config-path.json";
const keyId = 'arn:aws:kms:ap-south-1:<accountName>:key/<keyId>';
const storage = await new AWSKeyValueStorage(keyId, configPath).init();
const oneTimeToken = "<one time token>";
await initializeStorage(storage, oneTimeToken);
const { records } = await getSecrets({ storage: storage });
const firstRecord = records[0]
const firstRecordPassword = firstRecord.data.fields.find(x => x.type === 'password')
console.log(firstRecordPassword.value[0])
};
getKeeperRecordsAWS();
String newkeyId = "<New-Key-ID>";
AwsKeyValueStorage awskvstorage = new AwsKeyValueStorage(keyId, configFileLocation, profile, sessionConfig, region);
awskvstorage.changeKey(newkeyId)const storage = await new AWSKeyValueStorage(keyId,config_path).init()
await initializeStorage(storage, oneTimeToken);
// do all process needed if any or change directly
await storage.changeKey(keyId2);from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_hsm.storage_aws_kms import AwsKmsKeyValueStorage
aws_session_cfg = AwsSessionConfig(
aws_access_key_id="AK[...]FIF",
aws_secret_access_key="/[...]/g3",
region_name="<region>")
new_key_id = "<new_key_id>"
config = AwsKmsKeyValueStorage(
key_id='e9[...]567',
config_file_location='client-config.json',
aws_session_config=aws_session_cfg)
secrets_manager = SecretsManager(config=config, verify_ssl_certs=True)
all_records = secrets_manager.change_key(new_key_id) using Microsoft.Extensions.Logging;
var awsSessionConfig2 = new AWSSessionConfig();
var loggerFactory = LoggerFactory.Create(builder =>
{
builder.SetMinimumLevel(LogLevel.Debug);
builder.AddConsole();
});
var logger = loggerFactory.CreateLogger<AWSKeyValueStorage>();
var aws_storage = new AWSKeyValueStorage(keyId, path, awsSessionConfig2,logger);updatedKeyARN := "arn:<partition>:kms:<region>:<account-id>:key/<key-id>"
isChanged, err := cfg.ChangeKey(updatedKeyARN, nil)
if err != nil {
fmt.Printf("Error while changing key: %v", err)
}AwsKeyValueStorage awskvstorage = new AwsKeyValueStorage(keyId, configFileLocation, profile, sessionConfig, region);
awskvstorage.decryptConfig(true) // Set true as a parameter to extract plaintext and save config as a plaintext.
//OR
awskvstorage.decryptConfig(false); // Set false as a parameter to extract only plaintext.const storage = await new AWSKeyValueStorage(keyId,config_path).init();
await storage.decryptConfig(); from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_hsm.storage_aws_kms import AwsKmsKeyValueStorage
aws_session_cfg = AwsSessionConfig(
aws_access_key_id="AK[...]FIF",
aws_secret_access_key="/[...]/g3",
region_name="<region>")
config = AwsKmsKeyValueStorage(
key_id='e9[...]567',
config_file_location='client-config.json',
aws_session_config=aws_session_cfg)
secrets_manager = SecretsManager(config=config, verify_ssl_certs=True)
all_records = secrets_manager.decrypt_config(True)var conf = await aws_storage.DecryptConfigAsync(false);
Console.WriteLine(conf); cfg := awskv.NewAWSKeyValueStorage(ksmConfigFileName, keyARN, &awskv.AWSConfig{
ClientID: clientID,
ClientSecret: clientSecret,
Region: region,
})
decryptedConfig, err := cfg.DecryptConfig(true)go get github.com/keeper-security/secrets-manager-go/integrations/awsfrom keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_hsm.storage_aws_kms import AwsKmsKeyValueStorage
key_id = 'c5[...]576'
config = AwsKmsKeyValueStorage(key_id, 'client-config.json') # default session
secrets_manager = SecretsManager(config=config, verify_ssl_certs=True)
all_records = secrets_manager.get_secrets()