Stealth is a go interface to write/read from secret stores.
The current storage implementation uses AWS System Manger Parameter Store. Previously, it used our fork of unicreds, which is a go port of credstash, which uses AWS DynamoDB and KMS.
Stealth can be run standalone for certain administrative tasks. First you'll need to compile the binary:
make buildTo find all secrets that have the same value as an existing secret (for instance, to revoke a leaked secret):
./stealth dupes --environment [production OR development] --service [service-name] --key [key name]You can replace all these values using this command:
./stealth dupes --environment [production OR development] --service [service-name] --key [key name] --update-with [value to replace with]To delete a secret:
./stealth delete --environment [production OR development] --service [service-name] --key [key name]To write a secret:
./stealth write --environment [production OR development] -- service [service-name] --key [key name] --value [key value]To identify discrepancies in secret values across 4 U.S. regions of AWS.
./stealth health --environment=ENVIRONMENT --service=SERVICETo run tests, use:
make testThis creates, updates, and reads secrets from the ci-test environment secret store, using the AWS credentials in your local environment.
If you are using Terraform, you can use the module tf-credstash to set up the necessary DynamoDB and KMS key for stealth. For example, to create a dev backend, you can use this terraform code:
provider "aws" {}
module "stealth-dev" {
source = "github.com/dfuentes/tf-credstash"
key_alias = "alias/stealth-key-dev"
table_name = "stealth-dev"
}Stealth is co-owned by #eng-infra and #eng-security. For more info, see http://go/stealth