npm - dotsec - Versions diffs - 0.8.0 → 0.10.1-alpha.0 - Mend

dotsec 0.8.0 → 0.10.1-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js CHANGED Viewed

@@ -1,6 +1,8 @@
 var __create = Object.create;
 var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getOwnPropSymbols = Object.getOwnPropertySymbols;
 var __getProtoOf = Object.getPrototypeOf;
@@ -18,6 +20,7 @@ var __spreadValues = (a, b) => {
     }
   return a;
 };
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
 var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
 var __export = (target, all) => {
   __markAsModule(target);
@@ -75,8 +78,7 @@ var commonCliOptions = {
   },
   envFile: {
     string: true,
-    describe: ".env file",
-    default: ".env"
+    describe: ".env file"
   },
   ignoreMissingEnvFile: {
     boolean: true,
@@ -99,6 +101,14 @@ var commonCliOptions = {
     boolean: true,
     describe: "Be verbose"
   },
+  encryptedSecretsFile: {
+    string: true,
+    describe: "filename of json file for reading encrypted secrets"
+  },
+  jsonFilter: {
+    string: true,
+    describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
+  },
   yes: {
     boolean: true,
     describe: "Proceeds without confirmation"
@@ -321,11 +331,11 @@ __export(decryptSecCommand_exports, {
   desc: () => desc2,
   handler: () => handler2
 });
-var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
-var import_chalk2 = __toModule(require("chalk"));
-var import_dotenv = __toModule(require("dotenv"));
 var import_node_fs = __toModule(require("node:fs"));
 var import_node_path = __toModule(require("node:path"));
+var import_client_kms2 = __toModule(require("@aws-sdk/client-kms"));
+var import_chalk2 = __toModule(require("chalk"));
+var import_dotenv = __toModule(require("dotenv"));
 // src/utils/io.ts
 var import_promises = __toModule(require("fs/promises"));
@@ -357,6 +367,27 @@ var promptOverwriteIfFileExists = async ({
   return overwriteResponse;
 };
+// src/utils/kms.ts
+var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
+var getKMSClient = ({
+  configuration
+}) => {
+  const kmsClient = new import_client_kms.KMSClient(configuration);
+  return kmsClient;
+};
+var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
+  var _a, _b;
+  const describeKeyCommand = new import_client_kms.DescribeKeyCommand({
+    KeyId: awsKeyAlias
+  });
+  const describeKeyResult = await kmsClient.send(describeKeyCommand);
+  const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
+  if (encryptionAlgorithm === void 0) {
+    throw new Error(`Could not determine encryption algorithm`);
+  }
+  return encryptionAlgorithm;
+};
 // src/commands/decryptSecCommand.ts
 var command2 = "decrypt-sec";
 var desc2 = "Decrypts a dotsec file";
@@ -365,7 +396,7 @@ var builder2 = {
   "aws-region": commonCliOptions.awsRegion,
   "aws-key-alias": commonCliOptions.awsKeyAlias,
   "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "env-file": commonCliOptions.envFile,
+  "env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
   "sec-file": commonCliOptions.secFile,
   verbose: commonCliOptions.verbose
 };
@@ -381,15 +412,16 @@ var handler2 = async (argv) => {
       return;
     }
     const parsedSec = (0, import_dotenv.parse)(import_node_fs.default.readFileSync(secSource, { encoding: "utf8" }));
-    const kmsClient = new import_client_kms.KMSClient({
+    const kmsClient = new import_client_kms2.KMSClient({
       credentials: credentialsAndOrigin.value,
       region: regionAndOrigin.value
     });
+    const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
     const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
-      const decryptCommand = new import_client_kms.DecryptCommand({
+      const decryptCommand = new import_client_kms2.DecryptCommand({
         KeyId: argv.awsKeyAlias,
         CiphertextBlob: Buffer.from(cipherText, "base64"),
-        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+        EncryptionAlgorithm: encryptionAlgorithm
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
       if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
@@ -416,22 +448,11 @@ __export(decryptSecretsJson_exports, {
   desc: () => desc3,
   handler: () => handler3
 });
+var import_node_fs2 = __toModule(require("node:fs"));
+var import_node_path2 = __toModule(require("node:path"));
 var import_client_kms3 = __toModule(require("@aws-sdk/client-kms"));
 var import_chalk3 = __toModule(require("chalk"));
 var import_flat = __toModule(require("flat"));
-var import_node_fs2 = __toModule(require("node:fs"));
-var import_node_path2 = __toModule(require("node:path"));
-// src/utils/kms.ts
-var import_client_kms2 = __toModule(require("@aws-sdk/client-kms"));
-var getKMSClient = ({
-  configuration
-}) => {
-  const kmsClient = new import_client_kms2.KMSClient(configuration);
-  return kmsClient;
-};
-// src/commands/decryptSecretsJson.ts
 var command3 = "decrypt-secrets-json";
 var desc3 = "Derypts an encrypted file";
 var builder3 = {
@@ -443,11 +464,9 @@ var builder3 = {
     describe: "filename of json file writing secrets",
     default: "secrets.json"
   },
-  "encrypted-secrets-file": {
-    string: true,
-    describe: "filename of json file for reading encrypted secrets",
+  "encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
     default: "secrets.encrypted.json"
-  },
+  }),
   "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
   verbose: commonCliOptions.verbose,
   yes: __spreadValues({}, commonCliOptions.yes)
@@ -484,11 +503,12 @@ var handler3 = async (argv) => {
       const describeKeyResult = await kmsClient.send(describeKeyCommand);
       console.log("describeKeyResult", { describeKeyResult });
     }
+    const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
     const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
       const decryptCommand = new import_client_kms3.DecryptCommand({
         KeyId: argv.awsKeyAlias,
         CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
-        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+        EncryptionAlgorithm: encryptionAlgorithm
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
       if (!decryptionResult.Plaintext) {
@@ -533,9 +553,34 @@ __export(defaultCommand_exports, {
 var import_node_fs3 = __toModule(require("node:fs"));
 var import_node_path3 = __toModule(require("node:path"));
 var import_client_kms4 = __toModule(require("@aws-sdk/client-kms"));
-var import_chalk4 = __toModule(require("chalk"));
+var import_chalk5 = __toModule(require("chalk"));
+var import_constant_case = __toModule(require("constant-case"));
 var import_cross_spawn = __toModule(require("cross-spawn"));
 var import_dotenv2 = __toModule(require("dotenv"));
+var import_flat2 = __toModule(require("flat"));
+// src/lib/encryptedSecrets.ts
+var import_fs = __toModule(require("fs"));
+var import_path = __toModule(require("path"));
+var import_chalk4 = __toModule(require("chalk"));
+var loadEncryptedSecrets = async ({
+  encryptedSecretsFile
+}) => {
+  const encryptedSecretsPath = import_path.default.resolve(process.cwd(), encryptedSecretsFile);
+  if (!await fileExists(encryptedSecretsPath)) {
+    throw new Error(`Could not open ${(0, import_chalk4.redBright)(encryptedSecretsPath)}`);
+  }
+  const encryptedSecrets = JSON.parse(import_fs.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
+  if (!encryptedSecrets) {
+    throw new Error(`No encrypted secrets found in ${(0, import_chalk4.redBright)(encryptedSecretsPath)}`);
+  }
+  if (!encryptedSecrets.encryptedParameters) {
+    throw new Error(`Expected 'encryptedParameters' property, but got none`);
+  }
+  return encryptedSecrets;
+};
+// src/commands/defaultCommand.ts
 var command4 = "$0 <command>";
 var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
 var builder4 = {
@@ -547,6 +592,8 @@ var builder4 = {
   "ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
   "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
   "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
+  "encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
+  "json-filter": commonCliOptions.jsonFilter,
   verbose: commonCliOptions.verbose,
   command: { string: true, required: true }
 };
@@ -558,7 +605,7 @@ var handleSec = async ({
 }) => {
   const secSource = import_node_path3.default.resolve(process.cwd(), secFile);
   if (!await fileExists(secSource)) {
-    console.error(`Could not open ${(0, import_chalk4.redBright)(secSource)}`);
+    console.error(`Could not open ${(0, import_chalk5.redBright)(secSource)}`);
     return;
   }
   const parsedSec = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(secSource, { encoding: "utf8" }));
@@ -566,11 +613,59 @@ var handleSec = async ({
     credentials: credentialsAndOrigin.value,
     region: regionAndOrigin.value
   });
+  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
   const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
     const decryptCommand = new import_client_kms4.DecryptCommand({
       KeyId: awsKeyAlias,
       CiphertextBlob: Buffer.from(cipherText, "base64"),
-      EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      EncryptionAlgorithm: encryptionAlgorithm
+    });
+    const decryptionResult = await kmsClient.send(decryptCommand);
+    if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
+      throw new Error(`No: ${JSON.stringify({
+        key,
+        cipherText,
+        decryptCommand
+      })}`);
+    }
+    const value = Buffer.from(decryptionResult.Plaintext).toString();
+    return [key, value];
+  }));
+  const env = Object.fromEntries(envEntries);
+  return env;
+};
+var handleEncryptedJson = async ({
+  encryptedSecretsFile,
+  jsonFilter,
+  credentialsAndOrigin,
+  regionAndOrigin,
+  awsKeyAlias
+}) => {
+  const encryptedSecrets = await loadEncryptedSecrets({
+    encryptedSecretsFile
+  });
+  const flattened = import_flat2.default.flatten(encryptedSecrets.encryptedParameters, {
+    delimiter: "__",
+    transformKey: (key) => {
+      return (0, import_constant_case.constantCase)(key);
+    }
+  });
+  const kmsClient = new import_client_kms4.KMSClient({
+    credentials: credentialsAndOrigin.value,
+    region: regionAndOrigin.value
+  });
+  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
+  const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => (0, import_constant_case.constantCase)(part)).join("__");
+  const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
+    if (filterKey) {
+      return key.indexOf(filterKey) === 0;
+    }
+    return true;
+  }).map(async ([key, cipherText]) => {
+    const decryptCommand = new import_client_kms4.DecryptCommand({
+      KeyId: awsKeyAlias,
+      CiphertextBlob: Buffer.from(cipherText, "base64"),
+      EncryptionAlgorithm: encryptionAlgorithm
     });
     const decryptionResult = await kmsClient.send(decryptCommand);
     if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
@@ -589,38 +684,60 @@ var handleSec = async ({
 var handler4 = async (argv) => {
   try {
     let env;
+    let awsEnv;
     try {
       if (argv.envFile) {
         env = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(argv.envFile, { encoding: "utf8" }));
+        if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
+          const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+            argv: __spreadValues({}, argv),
+            env: __spreadValues(__spreadValues({}, process.env), env)
+          });
+          awsEnv = {
+            AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
+            AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey
+          };
+          if (credentialsAndOrigin.value.sessionToken) {
+            awsEnv.AWS_SESSION_TOKEN = credentialsAndOrigin.value.sessionToken;
+          }
+        }
+      } else {
+        const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+          argv: __spreadValues({}, argv),
+          env: __spreadValues(__spreadValues({}, process.env), env)
+        });
+        if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
+          awsEnv = {
+            AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
+            AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey,
+            AWS_SESSION_TOKEN: credentialsAndOrigin.value.sessionToken
+          };
+        }
+        if (argv.verbose) {
+          console.log({ credentialsAndOrigin, regionAndOrigin });
+        }
+        if (argv.encryptedSecretsFile) {
+          env = await handleEncryptedJson({
+            encryptedSecretsFile: argv.encryptedSecretsFile,
+            jsonFilter: argv.jsonFilter,
+            credentialsAndOrigin,
+            regionAndOrigin,
+            awsKeyAlias: argv.awsKeyAlias
+          });
+        } else {
+          env = await handleSec({
+            secFile: argv.secFile,
+            credentialsAndOrigin,
+            regionAndOrigin,
+            awsKeyAlias: argv.awsKeyAlias
+          });
+        }
       }
     } catch (e) {
       if (argv.ignoreMissingEnvFile !== true) {
         throw e;
       }
     }
-    let awsEnv;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadValues({}, argv),
-      env: __spreadValues(__spreadValues({}, process.env), env)
-    });
-    if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
-      awsEnv = {
-        AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
-        AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey,
-        AWS_SESSION_TOKEN: credentialsAndOrigin.value.sessionToken
-      };
-    }
-    if (argv.verbose) {
-      console.log({ credentialsAndOrigin, regionAndOrigin });
-    }
-    if (!argv.envFile && argv.secFile) {
-      env = await handleSec({
-        secFile: argv.secFile,
-        credentialsAndOrigin,
-        regionAndOrigin,
-        awsKeyAlias: argv.awsKeyAlias
-      });
-    }
     const userCommandArgs = process.argv.slice(process.argv.indexOf(argv.command) + 1);
     if (argv.command) {
       (0, import_cross_spawn.spawn)(argv.command, [...userCommandArgs], {
@@ -642,18 +759,18 @@ __export(encryptEnvCommand_exports, {
   desc: () => desc5,
   handler: () => handler5
 });
-var import_client_kms5 = __toModule(require("@aws-sdk/client-kms"));
-var import_chalk5 = __toModule(require("chalk"));
-var import_dotenv3 = __toModule(require("dotenv"));
 var import_node_fs4 = __toModule(require("node:fs"));
 var import_node_path4 = __toModule(require("node:path"));
+var import_client_kms5 = __toModule(require("@aws-sdk/client-kms"));
+var import_chalk6 = __toModule(require("chalk"));
+var import_dotenv3 = __toModule(require("dotenv"));
 var command5 = "encrypt-env";
 var desc5 = "Encrypts a dotenv file";
 var builder5 = {
   "aws-profile": commonCliOptions.awsProfile,
   "aws-region": commonCliOptions.awsRegion,
   "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "env-file": commonCliOptions.envFile,
+  "env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
   "sec-file": commonCliOptions.secFile,
   "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
   verbose: commonCliOptions.verbose
@@ -667,7 +784,7 @@ var handler5 = async (argv) => {
     });
     const envSource = import_node_path4.default.resolve(process.cwd(), argv.envFile);
     if (!await fileExists(envSource)) {
-      error(`Could not open ${(0, import_chalk5.redBright)(envSource)}`);
+      error(`Could not open ${(0, import_chalk6.redBright)(envSource)}`);
       return;
     }
     const parsedEnv = (0, import_dotenv3.parse)(import_node_fs4.default.readFileSync(envSource, { encoding: "utf8" }));
@@ -678,6 +795,7 @@ var handler5 = async (argv) => {
       },
       verbose: argv.verbose
     });
+    const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
     if (argv.verbose) {
       info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
       const describeKeyCommand = new import_client_kms5.DescribeKeyCommand({
@@ -690,7 +808,7 @@ var handler5 = async (argv) => {
       const encryptCommand = new import_client_kms5.EncryptCommand({
         KeyId: argv.awsKeyAlias,
         Plaintext: Buffer.from(value),
-        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+        EncryptionAlgorithm: encryptionAlgorithm
       });
       const encryptionResult = await kmsClient.send(encryptCommand);
       if (!encryptionResult.CiphertextBlob) {
@@ -723,8 +841,8 @@ __export(encryptSecretsJson_exports, {
 var import_node_fs5 = __toModule(require("node:fs"));
 var import_node_path5 = __toModule(require("node:path"));
 var import_client_kms6 = __toModule(require("@aws-sdk/client-kms"));
-var import_chalk6 = __toModule(require("chalk"));
-var import_flat2 = __toModule(require("flat"));
+var import_chalk7 = __toModule(require("chalk"));
+var import_flat3 = __toModule(require("flat"));
 var command6 = "encrypt-secrets-json";
 var desc6 = "Encrypts an unencrypted file";
 var builder6 = {
@@ -754,14 +872,14 @@ var handler6 = async (argv) => {
     });
     const secretsPath = import_node_path5.default.resolve(process.cwd(), argv.secretsFile);
     if (!await fileExists(secretsPath)) {
-      error(`Could not open ${(0, import_chalk6.redBright)(secretsPath)}`);
+      error(`Could not open ${(0, import_chalk7.redBright)(secretsPath)}`);
       return;
     }
     const secrets = JSON.parse(import_node_fs5.default.readFileSync(secretsPath, { encoding: "utf8" }));
     if (!secrets.parameters) {
       throw new Error(`Expected 'parameters' property, but got none`);
     }
-    const flatParameters = (0, import_flat2.default)(secrets.parameters, { delimiter: "/" });
+    const flatParameters = (0, import_flat3.default)(secrets.parameters, { delimiter: "/" });
     if (argv.verbose) {
       console.log(flatParameters);
     }
@@ -780,11 +898,12 @@ var handler6 = async (argv) => {
       const describeKeyResult = await kmsClient.send(describeKeyCommand);
       console.log("describeKeyResult", { describeKeyResult });
     }
+    const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
     const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
       const encryptCommand = new import_client_kms6.EncryptCommand({
         KeyId: argv.awsKeyAlias,
         Plaintext: Buffer.from(parameter),
-        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+        EncryptionAlgorithm: encryptionAlgorithm
       });
       const encryptionResult = await kmsClient.send(encryptCommand);
       if (!encryptionResult.CiphertextBlob) {
@@ -800,7 +919,7 @@ var handler6 = async (argv) => {
       const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
       return [parameterName, cipherText];
     })));
-    const encryptedParameters = import_flat2.default.unflatten(encryptedFlatParameters, { delimiter: "/" });
+    const encryptedParameters = import_flat3.default.unflatten(encryptedFlatParameters, { delimiter: "/" });
     const encryptedSecrets = {
       config: secrets.config,
       encryptedParameters
@@ -826,12 +945,12 @@ __export(offloadToSSMCommand_exports, {
   desc: () => desc7,
   handler: () => handler7
 });
-var import_client_kms7 = __toModule(require("@aws-sdk/client-kms"));
-var import_client_ssm3 = __toModule(require("@aws-sdk/client-ssm"));
-var import_chalk7 = __toModule(require("chalk"));
-var import_flat3 = __toModule(require("flat"));
 var import_node_fs6 = __toModule(require("node:fs"));
 var import_node_path6 = __toModule(require("node:path"));
+var import_client_kms7 = __toModule(require("@aws-sdk/client-kms"));
+var import_client_ssm3 = __toModule(require("@aws-sdk/client-ssm"));
+var import_chalk8 = __toModule(require("chalk"));
+var import_flat4 = __toModule(require("flat"));
 var command7 = "offload-secrets-json-to-ssm";
 var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
 var builder7 = {
@@ -856,14 +975,14 @@ var handler7 = async (argv) => {
     });
     const encryptedSecretsPath = import_node_path6.default.resolve(process.cwd(), argv.encryptedSecretsFile);
     if (!await fileExists(encryptedSecretsPath)) {
-      error(`Could not open ${(0, import_chalk7.redBright)(encryptedSecretsPath)}`);
+      error(`Could not open ${(0, import_chalk8.redBright)(encryptedSecretsPath)}`);
       return;
     }
     const encryptedSecrets = JSON.parse(import_node_fs6.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
     if (!encryptedSecrets.encryptedParameters) {
       throw new Error(`Expected 'encryptedParameters' property, but got none`);
     }
-    const flatEncryptedParameters = (0, import_flat3.default)(encryptedSecrets.encryptedParameters, { delimiter: "/" });
+    const flatEncryptedParameters = (0, import_flat4.default)(encryptedSecrets.encryptedParameters, { delimiter: "/" });
     const kmsClient = getKMSClient({
       configuration: {
         credentials: credentialsAndOrigin.value,
@@ -873,17 +992,13 @@ var handler7 = async (argv) => {
     });
     if (argv.verbose) {
       info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
-      const describeKeyCommand = new import_client_kms7.DescribeKeyCommand({
-        KeyId: argv.awsKeyAlias
-      });
-      const describeKeyResult = await kmsClient.send(describeKeyCommand);
-      console.log("describeKeyResult", { describeKeyResult });
     }
+    const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
     const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
       const decryptCommand = new import_client_kms7.DecryptCommand({
         KeyId: argv.awsKeyAlias,
         CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
-        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+        EncryptionAlgorithm: encryptionAlgorithm
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
       if (!decryptionResult.Plaintext) {