dotsec 0.10.0 → 0.10.1-alpha.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +314 -97
- package/dist/cli.js.map +3 -3
- package/dist/esm/cli.js +333 -113
- package/dist/esm/cli.js.map +3 -3
- package/dist/esm/index.js +6 -0
- package/dist/esm/index.js.map +3 -3
- package/dist/index.d.ts +13 -1
- package/dist/index.js +24 -0
- package/dist/index.js.map +3 -3
- package/package.json +6 -2
package/dist/cli.js
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
var __create = Object.create;
|
|
2
2
|
var __defProp = Object.defineProperty;
|
|
3
|
+
var __defProps = Object.defineProperties;
|
|
3
4
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
|
+
var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
|
|
4
6
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
7
|
var __getOwnPropSymbols = Object.getOwnPropertySymbols;
|
|
6
8
|
var __getProtoOf = Object.getPrototypeOf;
|
|
@@ -18,6 +20,7 @@ var __spreadValues = (a, b) => {
|
|
|
18
20
|
}
|
|
19
21
|
return a;
|
|
20
22
|
};
|
|
23
|
+
var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
|
|
21
24
|
var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
|
|
22
25
|
var __export = (target, all) => {
|
|
23
26
|
__markAsModule(target);
|
|
@@ -62,7 +65,6 @@ var commonCliOptions = {
|
|
|
62
65
|
},
|
|
63
66
|
awsKeyAlias: {
|
|
64
67
|
string: true,
|
|
65
|
-
default: "alias/top-secret",
|
|
66
68
|
describe: "AWS KMS key alias"
|
|
67
69
|
},
|
|
68
70
|
awsKeyArn: {
|
|
@@ -75,8 +77,7 @@ var commonCliOptions = {
|
|
|
75
77
|
},
|
|
76
78
|
envFile: {
|
|
77
79
|
string: true,
|
|
78
|
-
describe: ".env file"
|
|
79
|
-
default: ".env"
|
|
80
|
+
describe: ".env file"
|
|
80
81
|
},
|
|
81
82
|
ignoreMissingEnvFile: {
|
|
82
83
|
boolean: true,
|
|
@@ -99,6 +100,14 @@ var commonCliOptions = {
|
|
|
99
100
|
boolean: true,
|
|
100
101
|
describe: "Be verbose"
|
|
101
102
|
},
|
|
103
|
+
encryptedSecretsFile: {
|
|
104
|
+
string: true,
|
|
105
|
+
describe: "filename of json file for reading encrypted secrets"
|
|
106
|
+
},
|
|
107
|
+
jsonFilter: {
|
|
108
|
+
string: true,
|
|
109
|
+
describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
|
|
110
|
+
},
|
|
102
111
|
yes: {
|
|
103
112
|
boolean: true,
|
|
104
113
|
describe: "Proceeds without confirmation"
|
|
@@ -321,11 +330,11 @@ __export(decryptSecCommand_exports, {
|
|
|
321
330
|
desc: () => desc2,
|
|
322
331
|
handler: () => handler2
|
|
323
332
|
});
|
|
324
|
-
var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
|
|
325
|
-
var import_chalk2 = __toModule(require("chalk"));
|
|
326
|
-
var import_dotenv = __toModule(require("dotenv"));
|
|
327
333
|
var import_node_fs = __toModule(require("node:fs"));
|
|
328
334
|
var import_node_path = __toModule(require("node:path"));
|
|
335
|
+
var import_client_kms2 = __toModule(require("@aws-sdk/client-kms"));
|
|
336
|
+
var import_chalk2 = __toModule(require("chalk"));
|
|
337
|
+
var import_dotenv = __toModule(require("dotenv"));
|
|
329
338
|
|
|
330
339
|
// src/utils/io.ts
|
|
331
340
|
var import_promises = __toModule(require("fs/promises"));
|
|
@@ -357,6 +366,27 @@ var promptOverwriteIfFileExists = async ({
|
|
|
357
366
|
return overwriteResponse;
|
|
358
367
|
};
|
|
359
368
|
|
|
369
|
+
// src/utils/kms.ts
|
|
370
|
+
var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
|
|
371
|
+
var getKMSClient = ({
|
|
372
|
+
configuration
|
|
373
|
+
}) => {
|
|
374
|
+
const kmsClient = new import_client_kms.KMSClient(configuration);
|
|
375
|
+
return kmsClient;
|
|
376
|
+
};
|
|
377
|
+
var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
|
|
378
|
+
var _a, _b;
|
|
379
|
+
const describeKeyCommand = new import_client_kms.DescribeKeyCommand({
|
|
380
|
+
KeyId: awsKeyAlias
|
|
381
|
+
});
|
|
382
|
+
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
383
|
+
const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
|
|
384
|
+
if (encryptionAlgorithm === void 0) {
|
|
385
|
+
throw new Error(`Could not determine encryption algorithm`);
|
|
386
|
+
}
|
|
387
|
+
return encryptionAlgorithm;
|
|
388
|
+
};
|
|
389
|
+
|
|
360
390
|
// src/commands/decryptSecCommand.ts
|
|
361
391
|
var command2 = "decrypt-sec";
|
|
362
392
|
var desc2 = "Decrypts a dotsec file";
|
|
@@ -365,7 +395,7 @@ var builder2 = {
|
|
|
365
395
|
"aws-region": commonCliOptions.awsRegion,
|
|
366
396
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
367
397
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
368
|
-
"env-file": commonCliOptions.envFile,
|
|
398
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
|
|
369
399
|
"sec-file": commonCliOptions.secFile,
|
|
370
400
|
verbose: commonCliOptions.verbose
|
|
371
401
|
};
|
|
@@ -381,15 +411,16 @@ var handler2 = async (argv) => {
|
|
|
381
411
|
return;
|
|
382
412
|
}
|
|
383
413
|
const parsedSec = (0, import_dotenv.parse)(import_node_fs.default.readFileSync(secSource, { encoding: "utf8" }));
|
|
384
|
-
const kmsClient = new
|
|
414
|
+
const kmsClient = new import_client_kms2.KMSClient({
|
|
385
415
|
credentials: credentialsAndOrigin.value,
|
|
386
416
|
region: regionAndOrigin.value
|
|
387
417
|
});
|
|
418
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
388
419
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
389
|
-
const decryptCommand = new
|
|
420
|
+
const decryptCommand = new import_client_kms2.DecryptCommand({
|
|
390
421
|
KeyId: argv.awsKeyAlias,
|
|
391
422
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
392
|
-
EncryptionAlgorithm:
|
|
423
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
393
424
|
});
|
|
394
425
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
395
426
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -416,50 +447,112 @@ __export(decryptSecretsJson_exports, {
|
|
|
416
447
|
desc: () => desc3,
|
|
417
448
|
handler: () => handler3
|
|
418
449
|
});
|
|
450
|
+
var import_node_fs2 = __toModule(require("node:fs"));
|
|
451
|
+
var import_node_path3 = __toModule(require("node:path"));
|
|
419
452
|
var import_client_kms3 = __toModule(require("@aws-sdk/client-kms"));
|
|
420
453
|
var import_chalk3 = __toModule(require("chalk"));
|
|
421
454
|
var import_flat = __toModule(require("flat"));
|
|
422
|
-
var import_node_fs2 = __toModule(require("node:fs"));
|
|
423
|
-
var import_node_path2 = __toModule(require("node:path"));
|
|
424
455
|
|
|
425
|
-
// src/
|
|
426
|
-
var
|
|
427
|
-
var
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
456
|
+
// src/lib/config.ts
|
|
457
|
+
var import_fs = __toModule(require("fs"));
|
|
458
|
+
var import_node_path2 = __toModule(require("node:path"));
|
|
459
|
+
var import_bundle_require = __toModule(require("bundle-require"));
|
|
460
|
+
var import_joycon = __toModule(require("joycon"));
|
|
461
|
+
var defaultConfig = {
|
|
462
|
+
aws: {
|
|
463
|
+
keyAlias: "alias/top-secret"
|
|
464
|
+
}
|
|
465
|
+
};
|
|
466
|
+
function jsoncParse(data) {
|
|
467
|
+
try {
|
|
468
|
+
return new Function("return " + data.trim())();
|
|
469
|
+
} catch {
|
|
470
|
+
return {};
|
|
471
|
+
}
|
|
472
|
+
}
|
|
473
|
+
var loadJson = async (filepath) => {
|
|
474
|
+
try {
|
|
475
|
+
return jsoncParse(await import_fs.default.promises.readFile(filepath, "utf8"));
|
|
476
|
+
} catch (error) {
|
|
477
|
+
if (error instanceof Error) {
|
|
478
|
+
throw new Error(`Failed to parse ${import_node_path2.default.relative(process.cwd(), filepath)}: ${error.message}`);
|
|
479
|
+
} else {
|
|
480
|
+
throw error;
|
|
481
|
+
}
|
|
482
|
+
}
|
|
483
|
+
};
|
|
484
|
+
var getConfig = async () => {
|
|
485
|
+
const cwd = process.cwd();
|
|
486
|
+
const configJoycon = new import_joycon.default();
|
|
487
|
+
const configPath = await configJoycon.resolve({
|
|
488
|
+
files: [
|
|
489
|
+
"dotsec.config.ts",
|
|
490
|
+
"dotsec.config.js",
|
|
491
|
+
"dotsec.config.cjs",
|
|
492
|
+
"dotsec.config.mjs",
|
|
493
|
+
"dotsec.config.json",
|
|
494
|
+
"package.json"
|
|
495
|
+
],
|
|
496
|
+
cwd,
|
|
497
|
+
stopDir: import_node_path2.default.parse(cwd).root,
|
|
498
|
+
packageKey: "dotsec"
|
|
499
|
+
});
|
|
500
|
+
if (configPath) {
|
|
501
|
+
if (configPath.endsWith(".json")) {
|
|
502
|
+
const rawData = await loadJson(configPath);
|
|
503
|
+
let data;
|
|
504
|
+
if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
|
|
505
|
+
data = rawData.dotsec;
|
|
506
|
+
} else {
|
|
507
|
+
data = rawData;
|
|
508
|
+
}
|
|
509
|
+
return __spreadProps(__spreadValues(__spreadValues({}, defaultConfig), data), {
|
|
510
|
+
aws: __spreadValues(__spreadValues({}, defaultConfig.aws), data.aws)
|
|
511
|
+
});
|
|
512
|
+
}
|
|
513
|
+
const config = await (0, import_bundle_require.bundleRequire)({
|
|
514
|
+
filepath: configPath
|
|
515
|
+
});
|
|
516
|
+
const retrievedConfig = config.mod.dotsec || config.mod.default || config.mod;
|
|
517
|
+
return __spreadValues(__spreadValues({}, defaultConfig), retrievedConfig);
|
|
518
|
+
}
|
|
519
|
+
return __spreadValues({}, defaultConfig);
|
|
432
520
|
};
|
|
433
521
|
|
|
434
522
|
// src/commands/decryptSecretsJson.ts
|
|
435
523
|
var command3 = "decrypt-secrets-json";
|
|
436
524
|
var desc3 = "Derypts an encrypted file";
|
|
437
525
|
var builder3 = {
|
|
438
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
439
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
440
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
441
526
|
"secrets-file": {
|
|
442
527
|
string: true,
|
|
443
528
|
describe: "filename of json file writing secrets",
|
|
444
529
|
default: "secrets.json"
|
|
445
530
|
},
|
|
446
|
-
"encrypted-secrets-file": {
|
|
447
|
-
string: true,
|
|
448
|
-
describe: "filename of json file for reading encrypted secrets",
|
|
531
|
+
"encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
|
|
449
532
|
default: "secrets.encrypted.json"
|
|
450
|
-
},
|
|
451
|
-
"
|
|
533
|
+
}),
|
|
534
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
535
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
536
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
537
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
538
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
452
539
|
verbose: commonCliOptions.verbose,
|
|
453
540
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
454
541
|
};
|
|
455
542
|
var handler3 = async (argv) => {
|
|
456
543
|
const { info, error } = getLogger();
|
|
544
|
+
const config = await getConfig();
|
|
457
545
|
try {
|
|
458
546
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
459
|
-
argv: __spreadValues({}, argv),
|
|
547
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
548
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
549
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
550
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
551
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
552
|
+
}),
|
|
460
553
|
env: __spreadValues({}, process.env)
|
|
461
554
|
});
|
|
462
|
-
const encryptedSecretsPath =
|
|
555
|
+
const encryptedSecretsPath = import_node_path3.default.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
463
556
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
464
557
|
error(`Could not open ${(0, import_chalk3.redBright)(encryptedSecretsPath)}`);
|
|
465
558
|
return;
|
|
@@ -476,19 +569,21 @@ var handler3 = async (argv) => {
|
|
|
476
569
|
},
|
|
477
570
|
verbose: argv.verbose
|
|
478
571
|
});
|
|
572
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
479
573
|
if (argv.verbose) {
|
|
480
|
-
info(`Encrypting using key alias ${bold(
|
|
574
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
481
575
|
const describeKeyCommand = new import_client_kms3.DescribeKeyCommand({
|
|
482
|
-
KeyId:
|
|
576
|
+
KeyId: awsKeyAlias
|
|
483
577
|
});
|
|
484
578
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
485
|
-
|
|
579
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
486
580
|
}
|
|
581
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
487
582
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
488
583
|
const decryptCommand = new import_client_kms3.DecryptCommand({
|
|
489
584
|
KeyId: argv.awsKeyAlias,
|
|
490
585
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
491
|
-
EncryptionAlgorithm:
|
|
586
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
492
587
|
});
|
|
493
588
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
494
589
|
if (!decryptionResult.Plaintext) {
|
|
@@ -501,6 +596,13 @@ var handler3 = async (argv) => {
|
|
|
501
596
|
if (argv.verbose) {
|
|
502
597
|
info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
|
|
503
598
|
}
|
|
599
|
+
const plaintext = Buffer.from(decryptionResult.Plaintext).toString();
|
|
600
|
+
try {
|
|
601
|
+
const jsonObject = JSON.parse(plaintext);
|
|
602
|
+
return [parameterName, jsonObject];
|
|
603
|
+
} catch (e) {
|
|
604
|
+
console.log("NOPES", plaintext);
|
|
605
|
+
}
|
|
504
606
|
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
505
607
|
return [parameterName, value];
|
|
506
608
|
})));
|
|
@@ -509,7 +611,7 @@ var handler3 = async (argv) => {
|
|
|
509
611
|
config: encryptedSecrets.config,
|
|
510
612
|
parameters
|
|
511
613
|
};
|
|
512
|
-
const secretsPath =
|
|
614
|
+
const secretsPath = import_node_path3.default.resolve(process.cwd(), argv.secretsFile);
|
|
513
615
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
514
616
|
filePath: secretsPath,
|
|
515
617
|
skip: argv.yes
|
|
@@ -531,11 +633,36 @@ __export(defaultCommand_exports, {
|
|
|
531
633
|
handler: () => handler4
|
|
532
634
|
});
|
|
533
635
|
var import_node_fs3 = __toModule(require("node:fs"));
|
|
534
|
-
var
|
|
636
|
+
var import_node_path4 = __toModule(require("node:path"));
|
|
535
637
|
var import_client_kms4 = __toModule(require("@aws-sdk/client-kms"));
|
|
536
|
-
var
|
|
638
|
+
var import_chalk5 = __toModule(require("chalk"));
|
|
639
|
+
var import_constant_case = __toModule(require("constant-case"));
|
|
537
640
|
var import_cross_spawn = __toModule(require("cross-spawn"));
|
|
538
641
|
var import_dotenv2 = __toModule(require("dotenv"));
|
|
642
|
+
var import_flat2 = __toModule(require("flat"));
|
|
643
|
+
|
|
644
|
+
// src/lib/encryptedSecrets.ts
|
|
645
|
+
var import_fs2 = __toModule(require("fs"));
|
|
646
|
+
var import_path = __toModule(require("path"));
|
|
647
|
+
var import_chalk4 = __toModule(require("chalk"));
|
|
648
|
+
var loadEncryptedSecrets = async ({
|
|
649
|
+
encryptedSecretsFile
|
|
650
|
+
}) => {
|
|
651
|
+
const encryptedSecretsPath = import_path.default.resolve(process.cwd(), encryptedSecretsFile);
|
|
652
|
+
if (!await fileExists(encryptedSecretsPath)) {
|
|
653
|
+
throw new Error(`Could not open ${(0, import_chalk4.redBright)(encryptedSecretsPath)}`);
|
|
654
|
+
}
|
|
655
|
+
const encryptedSecrets = JSON.parse(import_fs2.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
656
|
+
if (!encryptedSecrets) {
|
|
657
|
+
throw new Error(`No encrypted secrets found in ${(0, import_chalk4.redBright)(encryptedSecretsPath)}`);
|
|
658
|
+
}
|
|
659
|
+
if (!encryptedSecrets.encryptedParameters) {
|
|
660
|
+
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
661
|
+
}
|
|
662
|
+
return encryptedSecrets;
|
|
663
|
+
};
|
|
664
|
+
|
|
665
|
+
// src/commands/defaultCommand.ts
|
|
539
666
|
var command4 = "$0 <command>";
|
|
540
667
|
var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
|
|
541
668
|
var builder4 = {
|
|
@@ -547,6 +674,8 @@ var builder4 = {
|
|
|
547
674
|
"ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
|
|
548
675
|
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
549
676
|
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
677
|
+
"encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
|
|
678
|
+
"json-filter": commonCliOptions.jsonFilter,
|
|
550
679
|
verbose: commonCliOptions.verbose,
|
|
551
680
|
command: { string: true, required: true }
|
|
552
681
|
};
|
|
@@ -556,9 +685,9 @@ var handleSec = async ({
|
|
|
556
685
|
regionAndOrigin,
|
|
557
686
|
awsKeyAlias
|
|
558
687
|
}) => {
|
|
559
|
-
const secSource =
|
|
688
|
+
const secSource = import_node_path4.default.resolve(process.cwd(), secFile);
|
|
560
689
|
if (!await fileExists(secSource)) {
|
|
561
|
-
console.error(`Could not open ${(0,
|
|
690
|
+
console.error(`Could not open ${(0, import_chalk5.redBright)(secSource)}`);
|
|
562
691
|
return;
|
|
563
692
|
}
|
|
564
693
|
const parsedSec = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(secSource, { encoding: "utf8" }));
|
|
@@ -566,11 +695,59 @@ var handleSec = async ({
|
|
|
566
695
|
credentials: credentialsAndOrigin.value,
|
|
567
696
|
region: regionAndOrigin.value
|
|
568
697
|
});
|
|
698
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
569
699
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
570
700
|
const decryptCommand = new import_client_kms4.DecryptCommand({
|
|
571
701
|
KeyId: awsKeyAlias,
|
|
572
702
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
573
|
-
EncryptionAlgorithm:
|
|
703
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
704
|
+
});
|
|
705
|
+
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
706
|
+
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
707
|
+
throw new Error(`No: ${JSON.stringify({
|
|
708
|
+
key,
|
|
709
|
+
cipherText,
|
|
710
|
+
decryptCommand
|
|
711
|
+
})}`);
|
|
712
|
+
}
|
|
713
|
+
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
714
|
+
return [key, value];
|
|
715
|
+
}));
|
|
716
|
+
const env = Object.fromEntries(envEntries);
|
|
717
|
+
return env;
|
|
718
|
+
};
|
|
719
|
+
var handleEncryptedJson = async ({
|
|
720
|
+
encryptedSecretsFile,
|
|
721
|
+
jsonFilter,
|
|
722
|
+
credentialsAndOrigin,
|
|
723
|
+
regionAndOrigin,
|
|
724
|
+
awsKeyAlias
|
|
725
|
+
}) => {
|
|
726
|
+
const encryptedSecrets = await loadEncryptedSecrets({
|
|
727
|
+
encryptedSecretsFile
|
|
728
|
+
});
|
|
729
|
+
const flattened = import_flat2.default.flatten(encryptedSecrets.encryptedParameters, {
|
|
730
|
+
delimiter: "__",
|
|
731
|
+
transformKey: (key) => {
|
|
732
|
+
return (0, import_constant_case.constantCase)(key);
|
|
733
|
+
}
|
|
734
|
+
});
|
|
735
|
+
const kmsClient = new import_client_kms4.KMSClient({
|
|
736
|
+
credentials: credentialsAndOrigin.value,
|
|
737
|
+
region: regionAndOrigin.value
|
|
738
|
+
});
|
|
739
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
740
|
+
const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => (0, import_constant_case.constantCase)(part)).join("__");
|
|
741
|
+
const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
|
|
742
|
+
if (filterKey) {
|
|
743
|
+
return key.indexOf(filterKey) === 0;
|
|
744
|
+
}
|
|
745
|
+
return true;
|
|
746
|
+
}).map(async ([key, cipherText]) => {
|
|
747
|
+
const decryptCommand = new import_client_kms4.DecryptCommand({
|
|
748
|
+
KeyId: awsKeyAlias,
|
|
749
|
+
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
750
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
574
751
|
});
|
|
575
752
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
576
753
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -587,6 +764,7 @@ var handleSec = async ({
|
|
|
587
764
|
return env;
|
|
588
765
|
};
|
|
589
766
|
var handler4 = async (argv) => {
|
|
767
|
+
const config = await getConfig();
|
|
590
768
|
try {
|
|
591
769
|
let env;
|
|
592
770
|
let awsEnv;
|
|
@@ -595,8 +773,13 @@ var handler4 = async (argv) => {
|
|
|
595
773
|
env = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(argv.envFile, { encoding: "utf8" }));
|
|
596
774
|
if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
|
|
597
775
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
598
|
-
argv: __spreadValues({}, argv),
|
|
599
|
-
|
|
776
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
777
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
778
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
779
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
780
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
781
|
+
}),
|
|
782
|
+
env: __spreadValues({}, process.env)
|
|
600
783
|
});
|
|
601
784
|
awsEnv = {
|
|
602
785
|
AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
|
|
@@ -608,8 +791,13 @@ var handler4 = async (argv) => {
|
|
|
608
791
|
}
|
|
609
792
|
} else {
|
|
610
793
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
611
|
-
argv: __spreadValues({}, argv),
|
|
612
|
-
|
|
794
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
795
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
796
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
797
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
798
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
799
|
+
}),
|
|
800
|
+
env: __spreadValues({}, process.env)
|
|
613
801
|
});
|
|
614
802
|
if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
|
|
615
803
|
awsEnv = {
|
|
@@ -621,12 +809,23 @@ var handler4 = async (argv) => {
|
|
|
621
809
|
if (argv.verbose) {
|
|
622
810
|
console.log({ credentialsAndOrigin, regionAndOrigin });
|
|
623
811
|
}
|
|
624
|
-
|
|
625
|
-
|
|
626
|
-
|
|
627
|
-
|
|
628
|
-
|
|
629
|
-
|
|
812
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
813
|
+
if (argv.encryptedSecretsFile) {
|
|
814
|
+
env = await handleEncryptedJson({
|
|
815
|
+
encryptedSecretsFile: argv.encryptedSecretsFile,
|
|
816
|
+
jsonFilter: argv.jsonFilter,
|
|
817
|
+
credentialsAndOrigin,
|
|
818
|
+
regionAndOrigin,
|
|
819
|
+
awsKeyAlias
|
|
820
|
+
});
|
|
821
|
+
} else {
|
|
822
|
+
env = await handleSec({
|
|
823
|
+
secFile: argv.secFile,
|
|
824
|
+
credentialsAndOrigin,
|
|
825
|
+
regionAndOrigin,
|
|
826
|
+
awsKeyAlias
|
|
827
|
+
});
|
|
828
|
+
}
|
|
630
829
|
}
|
|
631
830
|
} catch (e) {
|
|
632
831
|
if (argv.ignoreMissingEnvFile !== true) {
|
|
@@ -654,18 +853,18 @@ __export(encryptEnvCommand_exports, {
|
|
|
654
853
|
desc: () => desc5,
|
|
655
854
|
handler: () => handler5
|
|
656
855
|
});
|
|
856
|
+
var import_node_fs4 = __toModule(require("node:fs"));
|
|
857
|
+
var import_node_path5 = __toModule(require("node:path"));
|
|
657
858
|
var import_client_kms5 = __toModule(require("@aws-sdk/client-kms"));
|
|
658
|
-
var
|
|
859
|
+
var import_chalk6 = __toModule(require("chalk"));
|
|
659
860
|
var import_dotenv3 = __toModule(require("dotenv"));
|
|
660
|
-
var import_node_fs4 = __toModule(require("node:fs"));
|
|
661
|
-
var import_node_path4 = __toModule(require("node:path"));
|
|
662
861
|
var command5 = "encrypt-env";
|
|
663
862
|
var desc5 = "Encrypts a dotenv file";
|
|
664
863
|
var builder5 = {
|
|
665
864
|
"aws-profile": commonCliOptions.awsProfile,
|
|
666
865
|
"aws-region": commonCliOptions.awsRegion,
|
|
667
866
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
668
|
-
"env-file": commonCliOptions.envFile,
|
|
867
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
|
|
669
868
|
"sec-file": commonCliOptions.secFile,
|
|
670
869
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
671
870
|
verbose: commonCliOptions.verbose
|
|
@@ -677,9 +876,9 @@ var handler5 = async (argv) => {
|
|
|
677
876
|
argv: __spreadValues({}, argv),
|
|
678
877
|
env: __spreadValues({}, process.env)
|
|
679
878
|
});
|
|
680
|
-
const envSource =
|
|
879
|
+
const envSource = import_node_path5.default.resolve(process.cwd(), argv.envFile);
|
|
681
880
|
if (!await fileExists(envSource)) {
|
|
682
|
-
error(`Could not open ${(0,
|
|
881
|
+
error(`Could not open ${(0, import_chalk6.redBright)(envSource)}`);
|
|
683
882
|
return;
|
|
684
883
|
}
|
|
685
884
|
const parsedEnv = (0, import_dotenv3.parse)(import_node_fs4.default.readFileSync(envSource, { encoding: "utf8" }));
|
|
@@ -690,6 +889,7 @@ var handler5 = async (argv) => {
|
|
|
690
889
|
},
|
|
691
890
|
verbose: argv.verbose
|
|
692
891
|
});
|
|
892
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
693
893
|
if (argv.verbose) {
|
|
694
894
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
695
895
|
const describeKeyCommand = new import_client_kms5.DescribeKeyCommand({
|
|
@@ -702,7 +902,7 @@ var handler5 = async (argv) => {
|
|
|
702
902
|
const encryptCommand = new import_client_kms5.EncryptCommand({
|
|
703
903
|
KeyId: argv.awsKeyAlias,
|
|
704
904
|
Plaintext: Buffer.from(value),
|
|
705
|
-
EncryptionAlgorithm:
|
|
905
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
706
906
|
});
|
|
707
907
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
708
908
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -718,7 +918,7 @@ var handler5 = async (argv) => {
|
|
|
718
918
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
719
919
|
return `${key}="${cipherText}"`;
|
|
720
920
|
}))).join("\n");
|
|
721
|
-
import_node_fs4.default.writeFileSync(
|
|
921
|
+
import_node_fs4.default.writeFileSync(import_node_path5.default.resolve(process.cwd(), argv.secFile), sec);
|
|
722
922
|
} catch (e) {
|
|
723
923
|
error(e);
|
|
724
924
|
}
|
|
@@ -733,16 +933,13 @@ __export(encryptSecretsJson_exports, {
|
|
|
733
933
|
handler: () => handler6
|
|
734
934
|
});
|
|
735
935
|
var import_node_fs5 = __toModule(require("node:fs"));
|
|
736
|
-
var
|
|
936
|
+
var import_node_path6 = __toModule(require("node:path"));
|
|
737
937
|
var import_client_kms6 = __toModule(require("@aws-sdk/client-kms"));
|
|
738
|
-
var
|
|
739
|
-
var
|
|
938
|
+
var import_chalk7 = __toModule(require("chalk"));
|
|
939
|
+
var import_flat3 = __toModule(require("flat"));
|
|
740
940
|
var command6 = "encrypt-secrets-json";
|
|
741
941
|
var desc6 = "Encrypts an unencrypted file";
|
|
742
942
|
var builder6 = {
|
|
743
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
744
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
745
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
746
943
|
"secrets-file": {
|
|
747
944
|
string: true,
|
|
748
945
|
describe: "filename of json file reading secrets",
|
|
@@ -753,29 +950,39 @@ var builder6 = {
|
|
|
753
950
|
describe: "filename of json file for writing encrypted secrets",
|
|
754
951
|
default: "secrets.encrypted.json"
|
|
755
952
|
},
|
|
756
|
-
"
|
|
953
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
954
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
955
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
956
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
957
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
757
958
|
verbose: commonCliOptions.verbose,
|
|
758
959
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
759
960
|
};
|
|
760
961
|
var handler6 = async (argv) => {
|
|
962
|
+
const config = await getConfig();
|
|
761
963
|
const { info, error } = getLogger();
|
|
762
964
|
try {
|
|
763
965
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
764
|
-
argv: __spreadValues({}, argv),
|
|
966
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
967
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
968
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
969
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
970
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
971
|
+
}),
|
|
765
972
|
env: __spreadValues({}, process.env)
|
|
766
973
|
});
|
|
767
|
-
const secretsPath =
|
|
974
|
+
const secretsPath = import_node_path6.default.resolve(process.cwd(), argv.secretsFile);
|
|
768
975
|
if (!await fileExists(secretsPath)) {
|
|
769
|
-
error(`Could not open ${(0,
|
|
976
|
+
error(`Could not open ${(0, import_chalk7.redBright)(secretsPath)}`);
|
|
770
977
|
return;
|
|
771
978
|
}
|
|
772
979
|
const secrets = JSON.parse(import_node_fs5.default.readFileSync(secretsPath, { encoding: "utf8" }));
|
|
773
980
|
if (!secrets.parameters) {
|
|
774
981
|
throw new Error(`Expected 'parameters' property, but got none`);
|
|
775
982
|
}
|
|
776
|
-
const flatParameters = (0,
|
|
983
|
+
const flatParameters = (0, import_flat3.default)(secrets.parameters, { delimiter: "/", maxDepth: config.maxDepth });
|
|
777
984
|
if (argv.verbose) {
|
|
778
|
-
|
|
985
|
+
info(flatParameters);
|
|
779
986
|
}
|
|
780
987
|
const kmsClient = getKMSClient({
|
|
781
988
|
configuration: {
|
|
@@ -784,19 +991,25 @@ var handler6 = async (argv) => {
|
|
|
784
991
|
},
|
|
785
992
|
verbose: argv.verbose
|
|
786
993
|
});
|
|
994
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
787
995
|
if (argv.verbose) {
|
|
788
|
-
info(`Encrypting using key alias ${bold(
|
|
996
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
789
997
|
const describeKeyCommand = new import_client_kms6.DescribeKeyCommand({
|
|
790
|
-
KeyId:
|
|
998
|
+
KeyId: awsKeyAlias
|
|
791
999
|
});
|
|
792
1000
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
793
|
-
|
|
1001
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
794
1002
|
}
|
|
1003
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
795
1004
|
const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
|
|
1005
|
+
let parameterCopy = parameter;
|
|
1006
|
+
if (typeof parameter !== "string" && typeof parameter !== "number" && typeof parameter !== "boolean") {
|
|
1007
|
+
parameterCopy = JSON.stringify(parameter);
|
|
1008
|
+
}
|
|
796
1009
|
const encryptCommand = new import_client_kms6.EncryptCommand({
|
|
797
|
-
KeyId:
|
|
798
|
-
Plaintext: Buffer.from(
|
|
799
|
-
EncryptionAlgorithm:
|
|
1010
|
+
KeyId: awsKeyAlias,
|
|
1011
|
+
Plaintext: Buffer.from(String(parameterCopy)),
|
|
1012
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
800
1013
|
});
|
|
801
1014
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
802
1015
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -812,12 +1025,12 @@ var handler6 = async (argv) => {
|
|
|
812
1025
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
813
1026
|
return [parameterName, cipherText];
|
|
814
1027
|
})));
|
|
815
|
-
const encryptedParameters =
|
|
1028
|
+
const encryptedParameters = import_flat3.default.unflatten(encryptedFlatParameters, { delimiter: "/" });
|
|
816
1029
|
const encryptedSecrets = {
|
|
817
1030
|
config: secrets.config,
|
|
818
1031
|
encryptedParameters
|
|
819
1032
|
};
|
|
820
|
-
const encryptedSecretsPath =
|
|
1033
|
+
const encryptedSecretsPath = import_node_path6.default.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
821
1034
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
822
1035
|
filePath: encryptedSecretsPath,
|
|
823
1036
|
skip: argv.yes
|
|
@@ -838,44 +1051,51 @@ __export(offloadToSSMCommand_exports, {
|
|
|
838
1051
|
desc: () => desc7,
|
|
839
1052
|
handler: () => handler7
|
|
840
1053
|
});
|
|
1054
|
+
var import_node_fs6 = __toModule(require("node:fs"));
|
|
1055
|
+
var import_node_path7 = __toModule(require("node:path"));
|
|
841
1056
|
var import_client_kms7 = __toModule(require("@aws-sdk/client-kms"));
|
|
842
1057
|
var import_client_ssm3 = __toModule(require("@aws-sdk/client-ssm"));
|
|
843
|
-
var
|
|
844
|
-
var
|
|
845
|
-
var import_node_fs6 = __toModule(require("node:fs"));
|
|
846
|
-
var import_node_path6 = __toModule(require("node:path"));
|
|
1058
|
+
var import_chalk8 = __toModule(require("chalk"));
|
|
1059
|
+
var import_flat4 = __toModule(require("flat"));
|
|
847
1060
|
var command7 = "offload-secrets-json-to-ssm";
|
|
848
1061
|
var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
|
|
849
1062
|
var builder7 = {
|
|
850
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
851
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
852
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
853
1063
|
"encrypted-secrets-file": {
|
|
854
1064
|
string: true,
|
|
855
|
-
describe: "filename of json file for
|
|
1065
|
+
describe: "filename of json file for writing encrypted secrets",
|
|
856
1066
|
default: "secrets.encrypted.json"
|
|
857
1067
|
},
|
|
858
|
-
"
|
|
1068
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
1069
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
1070
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
1071
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
1072
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
859
1073
|
verbose: commonCliOptions.verbose,
|
|
860
1074
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
861
1075
|
};
|
|
862
1076
|
var handler7 = async (argv) => {
|
|
1077
|
+
const config = await getConfig();
|
|
863
1078
|
const { info, error } = getLogger();
|
|
864
1079
|
try {
|
|
865
1080
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
866
|
-
argv: __spreadValues({}, argv),
|
|
1081
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
1082
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
1083
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
1084
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
1085
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
1086
|
+
}),
|
|
867
1087
|
env: __spreadValues({}, process.env)
|
|
868
1088
|
});
|
|
869
|
-
const encryptedSecretsPath =
|
|
1089
|
+
const encryptedSecretsPath = import_node_path7.default.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
870
1090
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
871
|
-
error(`Could not open ${(0,
|
|
1091
|
+
error(`Could not open ${(0, import_chalk8.redBright)(encryptedSecretsPath)}`);
|
|
872
1092
|
return;
|
|
873
1093
|
}
|
|
874
1094
|
const encryptedSecrets = JSON.parse(import_node_fs6.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
875
1095
|
if (!encryptedSecrets.encryptedParameters) {
|
|
876
1096
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
877
1097
|
}
|
|
878
|
-
const flatEncryptedParameters = (0,
|
|
1098
|
+
const flatEncryptedParameters = (0, import_flat4.default)(encryptedSecrets.encryptedParameters, { delimiter: "/" });
|
|
879
1099
|
const kmsClient = getKMSClient({
|
|
880
1100
|
configuration: {
|
|
881
1101
|
credentials: credentialsAndOrigin.value,
|
|
@@ -883,19 +1103,16 @@ var handler7 = async (argv) => {
|
|
|
883
1103
|
},
|
|
884
1104
|
verbose: argv.verbose
|
|
885
1105
|
});
|
|
1106
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
886
1107
|
if (argv.verbose) {
|
|
887
|
-
info(`Encrypting using key alias ${bold(
|
|
888
|
-
const describeKeyCommand = new import_client_kms7.DescribeKeyCommand({
|
|
889
|
-
KeyId: argv.awsKeyAlias
|
|
890
|
-
});
|
|
891
|
-
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
892
|
-
console.log("describeKeyResult", { describeKeyResult });
|
|
1108
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
893
1109
|
}
|
|
1110
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
894
1111
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
895
1112
|
const decryptCommand = new import_client_kms7.DecryptCommand({
|
|
896
1113
|
KeyId: argv.awsKeyAlias,
|
|
897
1114
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
898
|
-
EncryptionAlgorithm:
|
|
1115
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
899
1116
|
});
|
|
900
1117
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
901
1118
|
if (!decryptionResult.Plaintext) {
|