Configuration
Environment
Ensure you have AWS_PROFILE and AWS_REGION
set correctly first if you’re running this from your own machine. If
you’re running this from an AWS instance. Alternatively, you can ensure
that AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
are exported within your environment.
You can specify the DynamoDB table to query using either the
--table flag or the GCREDSTASH_TABLE or
CREDSTASH_DEFAULT_TABLE environment variables. The default
table name is credential-store.
The get, getall, put, and
template subcommands expect you to specify a key if you’re
not using one with the default name/alias of
alias/credstash. You can specify it with the
-k/--key flag or the
GCREDSTASH_KMS_KEY or CREDSTASH_KMS_KEY
environment variables.
IAM policies
Assuming your region is us-east-1 and you’re using the
default table name of credential-table…
Setup
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:us-west-1:<ACCOUNT NUMBER>:table/credential-store"
},
{
"Action": [
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}
]
}Reader
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:us-east-1:AWSACCOUNTID:key/KEY-GUID"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:us-east-1:AWSACCOUNTID:table/credential-store"
}
]
}Writer
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:us-east-1:AWSACCOUNTID:key/KEY-GUID"
},
{
"Action": [
"dynamodb:PutItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:us-east-1:AWSACCOUNTID:table/credential-store"
}
]
}