creation of .serverless-secret.json file according to environment like dev,stage, prod #16
Comments
|
IMO, this would best be implmented as a |
|
@dschep ,Thanks for quick response, I was running the following command -- serverless encrypt -n ACCESSKEY32 -t "sjkdhjksd-asj-sdds1" --save , so values are being encrypted and adding to .serverless-secret.json as default, so if i want to add the values into serverless-secret-stage.json/serverless-secret-prod.json, what is the way and what command i have to run, please advise on this? Thanks, |
|
sorry, that was a suggestion of how we might implement it. the option doesn't currently exist. If you don't mind extra secrets in your file, the work around I'd suggest now is this:
environment:
STAGE: ${opt:stage, self:provider.stage}
slscrypt.get(`ACCESS_KEY_${process.env.STAGE.toUpperCase()}`); |
|
hi, here we are passing single key for encryption as followed (sls encrypt -n ACCESS_KEY_PROD -t supersecret --save) , but if we want to pass set of keys in a single command like if i have 15 secret keys in my project rather running sls encrypt command for 15 times, can we pass a json whch has list of keys which will encrypt through sls encrypt command , as such do we have any process for it? please let me advise.... |
|
not sure, I don't have time really and am thinking of migrating to SSM Parameter Store for secrets anyway. @marcy-terui might tho. |
|
hi, here we are passing single key for encryption as followed (sls encrypt -n ACCESS_KEY_PROD -t supersecret --save) , but if we want to pass set of keys in a single command like if i have 15 secret keys in my project rather running sls encrypt command for 15 times, can we pass a json whch has list of keys which will encrypt through sls encrypt command , as such do we have any process for it? please let me advise.... |
|
@firojasha Thank you for your suggestion. This plugin is currently supported for more simply use case. But, I think that it is valuable to solve your problem with this plugin. |
|
@marcy-terui , as a security concern can we restrict the " serverless decrypt -n $SECRET_NAME", because this command shows the actual value of encrypted secret key, so any one can run this command see the actual value of encrypted secret key, even i tried to amend the IAM policy of KMS KEY at AWS Console to restrict decryption but i identified that serverless decrypt -n $SECRET_NAME command not taking the KMS KEY for decryption , so please check this case and let us know what could be done to achive this case? Regards, |
|
I don't think that is important. I think this plugin helps to "save" confidential information. If you want to apply security to all layers other than "save", I recommend the other security-specific product such as "HashiCorp Vault". I would like to implement a function to change the filename saved for each stage. |
HI,
In defualt values are encrypted and saved in .serverless-secret.json file, is there any way we can have the files like [.serverless-secret_dev.json, .serverless-secret_prod.json, .serverless-secret_Stage.json ] to save the encrypeted values according to environment, or we can directly save values into .YML file, please chekc this once, this is our requirement actaully.
Thanks,
Firoj Shaik
The text was updated successfully, but these errors were encountered: