rails_kms_credentials 0.0.3 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +65 -0
- data/lib/rails_kms_credentials/railtie.rb +0 -4
- data/lib/rails_kms_credentials/version.rb +2 -2
- metadata +2 -3
- data/lib/tasks/credentials.rake +0 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ffcfd3a08a85870fd8b6766fe27ab31e56f3955e3ab896017ea9d2589da1ca01
|
|
4
|
+
data.tar.gz: b50ad3a3cef7961756cac6b67c3dee6819755310bd4941897d6fdd8a3d5741d4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fdfe4826eed0375403edbfaa0a308c937fe7d611eb8017ce8db072b9d93400b6033bcf806c311777dd75f38c4e965d9c3c5e06384cb1dc609c6b64366b58259d
|
|
7
|
+
data.tar.gz: b66eb3b4d6c86d2d218f427b31647844efc89d7dc0b13e8489296c6a63071f71b3cca15da2664de4c1189b9f6dc14b604e64f75b2689d0e0dcfc265e1c7cd242
|
data/README.md
CHANGED
|
@@ -1 +1,66 @@
|
|
|
1
1
|
# rails-kms-credentials
|
|
2
|
+
|
|
3
|
+
This gem expands the capabilities of `Rails.application.credentials` to support fetching the credentials from a Key Management System.
|
|
4
|
+
|
|
5
|
+
## Configuration
|
|
6
|
+
This gem will read `config/kms_credentials.yml` using `Rails.application.config_for`.
|
|
7
|
+
|
|
8
|
+
Key | Description
|
|
9
|
+
---|---
|
|
10
|
+
`store` | [Stores](#stores) The Key Managedment System to use.
|
|
11
|
+
|
|
12
|
+
## Stores
|
|
13
|
+
|
|
14
|
+
Key Management System | Config Value
|
|
15
|
+
---|---
|
|
16
|
+
[Azure Key Vault](#azure-key-vault) | `azure_key_vault`
|
|
17
|
+
|
|
18
|
+
### Azure Key Vault
|
|
19
|
+
Credentials will be loaded from a Key Vault's Secrets.
|
|
20
|
+
|
|
21
|
+
All hyphens (`-`) in a secret name will be replaced with underscores (`_`) when put into credentials (ex. `foo-bar` -> `foo_bar`).
|
|
22
|
+
|
|
23
|
+
Credentials can be nested by separating the parent key from the child key with `--` (ex. secret `foo--bar--baz` with a value of `test` will become `{foo: {bar: {baz: "test"}}}`.
|
|
24
|
+
|
|
25
|
+
Since Secrets cannot be empty in Azure Key Vault, if you need a key to show up in credentials, but need its value to be empty, then set the Secret's value to `--EMPTY--`.
|
|
26
|
+
|
|
27
|
+
#### Config
|
|
28
|
+
Key | Description
|
|
29
|
+
---|---
|
|
30
|
+
`vault` | The name of the Key Vault
|
|
31
|
+
`client` | Client specific configuration. See [Client Types](#client-types).
|
|
32
|
+
`client.type` | The [Client Type](#client-types) to use.
|
|
33
|
+
`client.secret_prefix` | The prefix that all secrets for this application will have. See [Secret Prefix](#secret-prefix).
|
|
34
|
+
|
|
35
|
+
#### Secret Prefix
|
|
36
|
+
The prefix along with `----` will be added to the beginning of the secret name (ex. `prefix: abc123` -> `abc123----some-secret`). May be specified with a string, or using your application's name by passing `true` (will use `Rails.application.class.parent.to_s.underscore.dasherize`).
|
|
37
|
+
|
|
38
|
+
|
|
39
|
+
#### Client Types
|
|
40
|
+
|
|
41
|
+
How to connect/authenticate to Azure Ket Vault.
|
|
42
|
+
|
|
43
|
+
Client | `client.type`
|
|
44
|
+
---|---
|
|
45
|
+
[Managed Identity](#managed-identity) | `managed_identity`
|
|
46
|
+
[Client Credentials](#client-credentials) | `client_credentials`
|
|
47
|
+
|
|
48
|
+
|
|
49
|
+
##### Managed Identity
|
|
50
|
+
This is the client to use when running on an [Azure VM](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token).
|
|
51
|
+
|
|
52
|
+
**Config:**
|
|
53
|
+
Key | Description
|
|
54
|
+
---|---
|
|
55
|
+
`client.type` | `managed_identity`
|
|
56
|
+
|
|
57
|
+
|
|
58
|
+
##### Client Credentials
|
|
59
|
+
This is the client to use when connecting from outside of Azure. [See here](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
|
|
60
|
+
|
|
61
|
+
**Config**
|
|
62
|
+
Key | Description
|
|
63
|
+
---|---
|
|
64
|
+
`client.tenant_id` | The directory tenant the application plans to operate against, in GUID or domain-name format.
|
|
65
|
+
`client.client_id` | The application ID that's assigned to your app. You can find this information in the portal where you registered your app.
|
|
66
|
+
`client.client_secret` | The client secret that you generated for your app in the app registration portal.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_kms_credentials
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Taylor Yelverton
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-11-
|
|
11
|
+
date: 2022-11-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -72,7 +72,6 @@ files:
|
|
|
72
72
|
- lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb
|
|
73
73
|
- lib/rails_kms_credentials/store/base.rb
|
|
74
74
|
- lib/rails_kms_credentials/version.rb
|
|
75
|
-
- lib/tasks/credentials.rake
|
|
76
75
|
- rails_kms_credentials.gemspec
|
|
77
76
|
homepage: https://github.com/ComplyMD/rails_kms_credentials
|
|
78
77
|
licenses:
|
data/lib/tasks/credentials.rake
DELETED
|
@@ -1,8 +0,0 @@
|
|
|
1
|
-
namespace :kms_creds do
|
|
2
|
-
task :show, [:environment] do |_, args|
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
task :edit, [:environment] do |_, args|
|
|
6
|
-
ENV['EDITOR'] += ' --wait' if ENV['EDITOR'].present? && (ENV['EDITOR'] == 'code' || ENV['EDITOR'].ends_with?('/code')) # Stupid fix for vscode exiting too quickly
|
|
7
|
-
end
|
|
8
|
-
end
|