dotsec 0.9.0 → 0.10.1-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +325 -95
- package/dist/cli.js.map +3 -3
- package/dist/esm/cli.js +344 -111
- package/dist/esm/cli.js.map +3 -3
- package/package.json +6 -2
package/dist/cli.js
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
var __create = Object.create;
|
|
2
2
|
var __defProp = Object.defineProperty;
|
|
3
|
+
var __defProps = Object.defineProperties;
|
|
3
4
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
|
+
var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
|
|
4
6
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
7
|
var __getOwnPropSymbols = Object.getOwnPropertySymbols;
|
|
6
8
|
var __getProtoOf = Object.getPrototypeOf;
|
|
@@ -18,6 +20,7 @@ var __spreadValues = (a, b) => {
|
|
|
18
20
|
}
|
|
19
21
|
return a;
|
|
20
22
|
};
|
|
23
|
+
var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
|
|
21
24
|
var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
|
|
22
25
|
var __export = (target, all) => {
|
|
23
26
|
__markAsModule(target);
|
|
@@ -62,7 +65,6 @@ var commonCliOptions = {
|
|
|
62
65
|
},
|
|
63
66
|
awsKeyAlias: {
|
|
64
67
|
string: true,
|
|
65
|
-
default: "alias/top-secret",
|
|
66
68
|
describe: "AWS KMS key alias"
|
|
67
69
|
},
|
|
68
70
|
awsKeyArn: {
|
|
@@ -75,8 +77,7 @@ var commonCliOptions = {
|
|
|
75
77
|
},
|
|
76
78
|
envFile: {
|
|
77
79
|
string: true,
|
|
78
|
-
describe: ".env file"
|
|
79
|
-
default: ".env"
|
|
80
|
+
describe: ".env file"
|
|
80
81
|
},
|
|
81
82
|
ignoreMissingEnvFile: {
|
|
82
83
|
boolean: true,
|
|
@@ -99,6 +100,14 @@ var commonCliOptions = {
|
|
|
99
100
|
boolean: true,
|
|
100
101
|
describe: "Be verbose"
|
|
101
102
|
},
|
|
103
|
+
encryptedSecretsFile: {
|
|
104
|
+
string: true,
|
|
105
|
+
describe: "filename of json file for reading encrypted secrets"
|
|
106
|
+
},
|
|
107
|
+
jsonFilter: {
|
|
108
|
+
string: true,
|
|
109
|
+
describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
|
|
110
|
+
},
|
|
102
111
|
yes: {
|
|
103
112
|
boolean: true,
|
|
104
113
|
describe: "Proceeds without confirmation"
|
|
@@ -321,11 +330,11 @@ __export(decryptSecCommand_exports, {
|
|
|
321
330
|
desc: () => desc2,
|
|
322
331
|
handler: () => handler2
|
|
323
332
|
});
|
|
324
|
-
var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
|
|
325
|
-
var import_chalk2 = __toModule(require("chalk"));
|
|
326
|
-
var import_dotenv = __toModule(require("dotenv"));
|
|
327
333
|
var import_node_fs = __toModule(require("node:fs"));
|
|
328
334
|
var import_node_path = __toModule(require("node:path"));
|
|
335
|
+
var import_client_kms2 = __toModule(require("@aws-sdk/client-kms"));
|
|
336
|
+
var import_chalk2 = __toModule(require("chalk"));
|
|
337
|
+
var import_dotenv = __toModule(require("dotenv"));
|
|
329
338
|
|
|
330
339
|
// src/utils/io.ts
|
|
331
340
|
var import_promises = __toModule(require("fs/promises"));
|
|
@@ -357,6 +366,27 @@ var promptOverwriteIfFileExists = async ({
|
|
|
357
366
|
return overwriteResponse;
|
|
358
367
|
};
|
|
359
368
|
|
|
369
|
+
// src/utils/kms.ts
|
|
370
|
+
var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
|
|
371
|
+
var getKMSClient = ({
|
|
372
|
+
configuration
|
|
373
|
+
}) => {
|
|
374
|
+
const kmsClient = new import_client_kms.KMSClient(configuration);
|
|
375
|
+
return kmsClient;
|
|
376
|
+
};
|
|
377
|
+
var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
|
|
378
|
+
var _a, _b;
|
|
379
|
+
const describeKeyCommand = new import_client_kms.DescribeKeyCommand({
|
|
380
|
+
KeyId: awsKeyAlias
|
|
381
|
+
});
|
|
382
|
+
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
383
|
+
const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
|
|
384
|
+
if (encryptionAlgorithm === void 0) {
|
|
385
|
+
throw new Error(`Could not determine encryption algorithm`);
|
|
386
|
+
}
|
|
387
|
+
return encryptionAlgorithm;
|
|
388
|
+
};
|
|
389
|
+
|
|
360
390
|
// src/commands/decryptSecCommand.ts
|
|
361
391
|
var command2 = "decrypt-sec";
|
|
362
392
|
var desc2 = "Decrypts a dotsec file";
|
|
@@ -365,7 +395,7 @@ var builder2 = {
|
|
|
365
395
|
"aws-region": commonCliOptions.awsRegion,
|
|
366
396
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
367
397
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
368
|
-
"env-file": commonCliOptions.envFile,
|
|
398
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
|
|
369
399
|
"sec-file": commonCliOptions.secFile,
|
|
370
400
|
verbose: commonCliOptions.verbose
|
|
371
401
|
};
|
|
@@ -381,15 +411,16 @@ var handler2 = async (argv) => {
|
|
|
381
411
|
return;
|
|
382
412
|
}
|
|
383
413
|
const parsedSec = (0, import_dotenv.parse)(import_node_fs.default.readFileSync(secSource, { encoding: "utf8" }));
|
|
384
|
-
const kmsClient = new
|
|
414
|
+
const kmsClient = new import_client_kms2.KMSClient({
|
|
385
415
|
credentials: credentialsAndOrigin.value,
|
|
386
416
|
region: regionAndOrigin.value
|
|
387
417
|
});
|
|
418
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
388
419
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
389
|
-
const decryptCommand = new
|
|
420
|
+
const decryptCommand = new import_client_kms2.DecryptCommand({
|
|
390
421
|
KeyId: argv.awsKeyAlias,
|
|
391
422
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
392
|
-
EncryptionAlgorithm:
|
|
423
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
393
424
|
});
|
|
394
425
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
395
426
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -416,50 +447,112 @@ __export(decryptSecretsJson_exports, {
|
|
|
416
447
|
desc: () => desc3,
|
|
417
448
|
handler: () => handler3
|
|
418
449
|
});
|
|
450
|
+
var import_node_fs2 = __toModule(require("node:fs"));
|
|
451
|
+
var import_node_path3 = __toModule(require("node:path"));
|
|
419
452
|
var import_client_kms3 = __toModule(require("@aws-sdk/client-kms"));
|
|
420
453
|
var import_chalk3 = __toModule(require("chalk"));
|
|
421
454
|
var import_flat = __toModule(require("flat"));
|
|
422
|
-
var import_node_fs2 = __toModule(require("node:fs"));
|
|
423
|
-
var import_node_path2 = __toModule(require("node:path"));
|
|
424
455
|
|
|
425
|
-
// src/
|
|
426
|
-
var
|
|
427
|
-
var
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
456
|
+
// src/lib/config.ts
|
|
457
|
+
var import_fs = __toModule(require("fs"));
|
|
458
|
+
var import_node_path2 = __toModule(require("node:path"));
|
|
459
|
+
var import_bundle_require = __toModule(require("bundle-require"));
|
|
460
|
+
var import_joycon = __toModule(require("joycon"));
|
|
461
|
+
var defaultConfig = {
|
|
462
|
+
aws: {
|
|
463
|
+
keyAlias: "alias/top-secret"
|
|
464
|
+
}
|
|
465
|
+
};
|
|
466
|
+
function jsoncParse(data) {
|
|
467
|
+
try {
|
|
468
|
+
return new Function("return " + data.trim())();
|
|
469
|
+
} catch {
|
|
470
|
+
return {};
|
|
471
|
+
}
|
|
472
|
+
}
|
|
473
|
+
var loadJson = async (filepath) => {
|
|
474
|
+
try {
|
|
475
|
+
return jsoncParse(await import_fs.default.promises.readFile(filepath, "utf8"));
|
|
476
|
+
} catch (error) {
|
|
477
|
+
if (error instanceof Error) {
|
|
478
|
+
throw new Error(`Failed to parse ${import_node_path2.default.relative(process.cwd(), filepath)}: ${error.message}`);
|
|
479
|
+
} else {
|
|
480
|
+
throw error;
|
|
481
|
+
}
|
|
482
|
+
}
|
|
483
|
+
};
|
|
484
|
+
var getConfig = async () => {
|
|
485
|
+
const cwd = process.cwd();
|
|
486
|
+
const configJoycon = new import_joycon.default();
|
|
487
|
+
const configPath = await configJoycon.resolve({
|
|
488
|
+
files: [
|
|
489
|
+
"dotsec.config.ts",
|
|
490
|
+
"dotsec.config.js",
|
|
491
|
+
"dotsec.config.cjs",
|
|
492
|
+
"dotsec.config.mjs",
|
|
493
|
+
"dotsec.config.json",
|
|
494
|
+
"package.json"
|
|
495
|
+
],
|
|
496
|
+
cwd,
|
|
497
|
+
stopDir: import_node_path2.default.parse(cwd).root,
|
|
498
|
+
packageKey: "dotsec"
|
|
499
|
+
});
|
|
500
|
+
if (configPath) {
|
|
501
|
+
if (configPath.endsWith(".json")) {
|
|
502
|
+
const rawData = await loadJson(configPath);
|
|
503
|
+
let data;
|
|
504
|
+
if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
|
|
505
|
+
data = rawData.dotsec;
|
|
506
|
+
} else {
|
|
507
|
+
data = rawData;
|
|
508
|
+
}
|
|
509
|
+
return __spreadProps(__spreadValues(__spreadValues({}, defaultConfig), data), {
|
|
510
|
+
aws: __spreadValues(__spreadValues({}, defaultConfig.aws), data.aws)
|
|
511
|
+
});
|
|
512
|
+
}
|
|
513
|
+
const config = await (0, import_bundle_require.bundleRequire)({
|
|
514
|
+
filepath: configPath
|
|
515
|
+
});
|
|
516
|
+
const retrievedConfig = config.mod.dotsec || config.mod.default || config.mod;
|
|
517
|
+
return __spreadValues(__spreadValues({}, defaultConfig), retrievedConfig);
|
|
518
|
+
}
|
|
519
|
+
return __spreadValues({}, defaultConfig);
|
|
432
520
|
};
|
|
433
521
|
|
|
434
522
|
// src/commands/decryptSecretsJson.ts
|
|
435
523
|
var command3 = "decrypt-secrets-json";
|
|
436
524
|
var desc3 = "Derypts an encrypted file";
|
|
437
525
|
var builder3 = {
|
|
438
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
439
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
440
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
441
526
|
"secrets-file": {
|
|
442
527
|
string: true,
|
|
443
528
|
describe: "filename of json file writing secrets",
|
|
444
529
|
default: "secrets.json"
|
|
445
530
|
},
|
|
446
|
-
"encrypted-secrets-file": {
|
|
447
|
-
string: true,
|
|
448
|
-
describe: "filename of json file for reading encrypted secrets",
|
|
531
|
+
"encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
|
|
449
532
|
default: "secrets.encrypted.json"
|
|
450
|
-
},
|
|
451
|
-
"
|
|
533
|
+
}),
|
|
534
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
535
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
536
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
537
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
538
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
452
539
|
verbose: commonCliOptions.verbose,
|
|
453
540
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
454
541
|
};
|
|
455
542
|
var handler3 = async (argv) => {
|
|
456
543
|
const { info, error } = getLogger();
|
|
544
|
+
const config = await getConfig();
|
|
457
545
|
try {
|
|
458
546
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
459
|
-
argv: __spreadValues({}, argv),
|
|
547
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
548
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
549
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
550
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
551
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
552
|
+
}),
|
|
460
553
|
env: __spreadValues({}, process.env)
|
|
461
554
|
});
|
|
462
|
-
const encryptedSecretsPath =
|
|
555
|
+
const encryptedSecretsPath = import_node_path3.default.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
463
556
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
464
557
|
error(`Could not open ${(0, import_chalk3.redBright)(encryptedSecretsPath)}`);
|
|
465
558
|
return;
|
|
@@ -476,19 +569,21 @@ var handler3 = async (argv) => {
|
|
|
476
569
|
},
|
|
477
570
|
verbose: argv.verbose
|
|
478
571
|
});
|
|
572
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
479
573
|
if (argv.verbose) {
|
|
480
|
-
info(`Encrypting using key alias ${bold(
|
|
574
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
481
575
|
const describeKeyCommand = new import_client_kms3.DescribeKeyCommand({
|
|
482
|
-
KeyId:
|
|
576
|
+
KeyId: awsKeyAlias
|
|
483
577
|
});
|
|
484
578
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
485
|
-
|
|
579
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
486
580
|
}
|
|
581
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
487
582
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
488
583
|
const decryptCommand = new import_client_kms3.DecryptCommand({
|
|
489
584
|
KeyId: argv.awsKeyAlias,
|
|
490
585
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
491
|
-
EncryptionAlgorithm:
|
|
586
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
492
587
|
});
|
|
493
588
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
494
589
|
if (!decryptionResult.Plaintext) {
|
|
@@ -501,6 +596,13 @@ var handler3 = async (argv) => {
|
|
|
501
596
|
if (argv.verbose) {
|
|
502
597
|
info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
|
|
503
598
|
}
|
|
599
|
+
const plaintext = Buffer.from(decryptionResult.Plaintext).toString();
|
|
600
|
+
try {
|
|
601
|
+
const jsonObject = JSON.parse(plaintext);
|
|
602
|
+
return [parameterName, jsonObject];
|
|
603
|
+
} catch (e) {
|
|
604
|
+
console.log("NOPES", plaintext);
|
|
605
|
+
}
|
|
504
606
|
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
505
607
|
return [parameterName, value];
|
|
506
608
|
})));
|
|
@@ -509,7 +611,7 @@ var handler3 = async (argv) => {
|
|
|
509
611
|
config: encryptedSecrets.config,
|
|
510
612
|
parameters
|
|
511
613
|
};
|
|
512
|
-
const secretsPath =
|
|
614
|
+
const secretsPath = import_node_path3.default.resolve(process.cwd(), argv.secretsFile);
|
|
513
615
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
514
616
|
filePath: secretsPath,
|
|
515
617
|
skip: argv.yes
|
|
@@ -531,11 +633,36 @@ __export(defaultCommand_exports, {
|
|
|
531
633
|
handler: () => handler4
|
|
532
634
|
});
|
|
533
635
|
var import_node_fs3 = __toModule(require("node:fs"));
|
|
534
|
-
var
|
|
636
|
+
var import_node_path4 = __toModule(require("node:path"));
|
|
535
637
|
var import_client_kms4 = __toModule(require("@aws-sdk/client-kms"));
|
|
536
|
-
var
|
|
638
|
+
var import_chalk5 = __toModule(require("chalk"));
|
|
639
|
+
var import_constant_case = __toModule(require("constant-case"));
|
|
537
640
|
var import_cross_spawn = __toModule(require("cross-spawn"));
|
|
538
641
|
var import_dotenv2 = __toModule(require("dotenv"));
|
|
642
|
+
var import_flat2 = __toModule(require("flat"));
|
|
643
|
+
|
|
644
|
+
// src/lib/encryptedSecrets.ts
|
|
645
|
+
var import_fs2 = __toModule(require("fs"));
|
|
646
|
+
var import_path = __toModule(require("path"));
|
|
647
|
+
var import_chalk4 = __toModule(require("chalk"));
|
|
648
|
+
var loadEncryptedSecrets = async ({
|
|
649
|
+
encryptedSecretsFile
|
|
650
|
+
}) => {
|
|
651
|
+
const encryptedSecretsPath = import_path.default.resolve(process.cwd(), encryptedSecretsFile);
|
|
652
|
+
if (!await fileExists(encryptedSecretsPath)) {
|
|
653
|
+
throw new Error(`Could not open ${(0, import_chalk4.redBright)(encryptedSecretsPath)}`);
|
|
654
|
+
}
|
|
655
|
+
const encryptedSecrets = JSON.parse(import_fs2.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
656
|
+
if (!encryptedSecrets) {
|
|
657
|
+
throw new Error(`No encrypted secrets found in ${(0, import_chalk4.redBright)(encryptedSecretsPath)}`);
|
|
658
|
+
}
|
|
659
|
+
if (!encryptedSecrets.encryptedParameters) {
|
|
660
|
+
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
661
|
+
}
|
|
662
|
+
return encryptedSecrets;
|
|
663
|
+
};
|
|
664
|
+
|
|
665
|
+
// src/commands/defaultCommand.ts
|
|
539
666
|
var command4 = "$0 <command>";
|
|
540
667
|
var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
|
|
541
668
|
var builder4 = {
|
|
@@ -547,6 +674,8 @@ var builder4 = {
|
|
|
547
674
|
"ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
|
|
548
675
|
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
549
676
|
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
677
|
+
"encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
|
|
678
|
+
"json-filter": commonCliOptions.jsonFilter,
|
|
550
679
|
verbose: commonCliOptions.verbose,
|
|
551
680
|
command: { string: true, required: true }
|
|
552
681
|
};
|
|
@@ -556,9 +685,9 @@ var handleSec = async ({
|
|
|
556
685
|
regionAndOrigin,
|
|
557
686
|
awsKeyAlias
|
|
558
687
|
}) => {
|
|
559
|
-
const secSource =
|
|
688
|
+
const secSource = import_node_path4.default.resolve(process.cwd(), secFile);
|
|
560
689
|
if (!await fileExists(secSource)) {
|
|
561
|
-
console.error(`Could not open ${(0,
|
|
690
|
+
console.error(`Could not open ${(0, import_chalk5.redBright)(secSource)}`);
|
|
562
691
|
return;
|
|
563
692
|
}
|
|
564
693
|
const parsedSec = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(secSource, { encoding: "utf8" }));
|
|
@@ -566,11 +695,59 @@ var handleSec = async ({
|
|
|
566
695
|
credentials: credentialsAndOrigin.value,
|
|
567
696
|
region: regionAndOrigin.value
|
|
568
697
|
});
|
|
698
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
569
699
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
570
700
|
const decryptCommand = new import_client_kms4.DecryptCommand({
|
|
571
701
|
KeyId: awsKeyAlias,
|
|
572
702
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
573
|
-
EncryptionAlgorithm:
|
|
703
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
704
|
+
});
|
|
705
|
+
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
706
|
+
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
707
|
+
throw new Error(`No: ${JSON.stringify({
|
|
708
|
+
key,
|
|
709
|
+
cipherText,
|
|
710
|
+
decryptCommand
|
|
711
|
+
})}`);
|
|
712
|
+
}
|
|
713
|
+
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
714
|
+
return [key, value];
|
|
715
|
+
}));
|
|
716
|
+
const env = Object.fromEntries(envEntries);
|
|
717
|
+
return env;
|
|
718
|
+
};
|
|
719
|
+
var handleEncryptedJson = async ({
|
|
720
|
+
encryptedSecretsFile,
|
|
721
|
+
jsonFilter,
|
|
722
|
+
credentialsAndOrigin,
|
|
723
|
+
regionAndOrigin,
|
|
724
|
+
awsKeyAlias
|
|
725
|
+
}) => {
|
|
726
|
+
const encryptedSecrets = await loadEncryptedSecrets({
|
|
727
|
+
encryptedSecretsFile
|
|
728
|
+
});
|
|
729
|
+
const flattened = import_flat2.default.flatten(encryptedSecrets.encryptedParameters, {
|
|
730
|
+
delimiter: "__",
|
|
731
|
+
transformKey: (key) => {
|
|
732
|
+
return (0, import_constant_case.constantCase)(key);
|
|
733
|
+
}
|
|
734
|
+
});
|
|
735
|
+
const kmsClient = new import_client_kms4.KMSClient({
|
|
736
|
+
credentials: credentialsAndOrigin.value,
|
|
737
|
+
region: regionAndOrigin.value
|
|
738
|
+
});
|
|
739
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
740
|
+
const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => (0, import_constant_case.constantCase)(part)).join("__");
|
|
741
|
+
const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
|
|
742
|
+
if (filterKey) {
|
|
743
|
+
return key.indexOf(filterKey) === 0;
|
|
744
|
+
}
|
|
745
|
+
return true;
|
|
746
|
+
}).map(async ([key, cipherText]) => {
|
|
747
|
+
const decryptCommand = new import_client_kms4.DecryptCommand({
|
|
748
|
+
KeyId: awsKeyAlias,
|
|
749
|
+
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
750
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
574
751
|
});
|
|
575
752
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
576
753
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -587,16 +764,40 @@ var handleSec = async ({
|
|
|
587
764
|
return env;
|
|
588
765
|
};
|
|
589
766
|
var handler4 = async (argv) => {
|
|
767
|
+
const config = await getConfig();
|
|
590
768
|
try {
|
|
591
769
|
let env;
|
|
592
770
|
let awsEnv;
|
|
593
771
|
try {
|
|
594
772
|
if (argv.envFile) {
|
|
595
773
|
env = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(argv.envFile, { encoding: "utf8" }));
|
|
774
|
+
if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
|
|
775
|
+
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
776
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
777
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
778
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
779
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
780
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
781
|
+
}),
|
|
782
|
+
env: __spreadValues({}, process.env)
|
|
783
|
+
});
|
|
784
|
+
awsEnv = {
|
|
785
|
+
AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
|
|
786
|
+
AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey
|
|
787
|
+
};
|
|
788
|
+
if (credentialsAndOrigin.value.sessionToken) {
|
|
789
|
+
awsEnv.AWS_SESSION_TOKEN = credentialsAndOrigin.value.sessionToken;
|
|
790
|
+
}
|
|
791
|
+
}
|
|
596
792
|
} else {
|
|
597
793
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
598
|
-
argv: __spreadValues({}, argv),
|
|
599
|
-
|
|
794
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
795
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
796
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
797
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
798
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
799
|
+
}),
|
|
800
|
+
env: __spreadValues({}, process.env)
|
|
600
801
|
});
|
|
601
802
|
if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
|
|
602
803
|
awsEnv = {
|
|
@@ -608,12 +809,23 @@ var handler4 = async (argv) => {
|
|
|
608
809
|
if (argv.verbose) {
|
|
609
810
|
console.log({ credentialsAndOrigin, regionAndOrigin });
|
|
610
811
|
}
|
|
611
|
-
|
|
612
|
-
|
|
613
|
-
|
|
614
|
-
|
|
615
|
-
|
|
616
|
-
|
|
812
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
813
|
+
if (argv.encryptedSecretsFile) {
|
|
814
|
+
env = await handleEncryptedJson({
|
|
815
|
+
encryptedSecretsFile: argv.encryptedSecretsFile,
|
|
816
|
+
jsonFilter: argv.jsonFilter,
|
|
817
|
+
credentialsAndOrigin,
|
|
818
|
+
regionAndOrigin,
|
|
819
|
+
awsKeyAlias
|
|
820
|
+
});
|
|
821
|
+
} else {
|
|
822
|
+
env = await handleSec({
|
|
823
|
+
secFile: argv.secFile,
|
|
824
|
+
credentialsAndOrigin,
|
|
825
|
+
regionAndOrigin,
|
|
826
|
+
awsKeyAlias
|
|
827
|
+
});
|
|
828
|
+
}
|
|
617
829
|
}
|
|
618
830
|
} catch (e) {
|
|
619
831
|
if (argv.ignoreMissingEnvFile !== true) {
|
|
@@ -641,18 +853,18 @@ __export(encryptEnvCommand_exports, {
|
|
|
641
853
|
desc: () => desc5,
|
|
642
854
|
handler: () => handler5
|
|
643
855
|
});
|
|
856
|
+
var import_node_fs4 = __toModule(require("node:fs"));
|
|
857
|
+
var import_node_path5 = __toModule(require("node:path"));
|
|
644
858
|
var import_client_kms5 = __toModule(require("@aws-sdk/client-kms"));
|
|
645
|
-
var
|
|
859
|
+
var import_chalk6 = __toModule(require("chalk"));
|
|
646
860
|
var import_dotenv3 = __toModule(require("dotenv"));
|
|
647
|
-
var import_node_fs4 = __toModule(require("node:fs"));
|
|
648
|
-
var import_node_path4 = __toModule(require("node:path"));
|
|
649
861
|
var command5 = "encrypt-env";
|
|
650
862
|
var desc5 = "Encrypts a dotenv file";
|
|
651
863
|
var builder5 = {
|
|
652
864
|
"aws-profile": commonCliOptions.awsProfile,
|
|
653
865
|
"aws-region": commonCliOptions.awsRegion,
|
|
654
866
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
655
|
-
"env-file": commonCliOptions.envFile,
|
|
867
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
|
|
656
868
|
"sec-file": commonCliOptions.secFile,
|
|
657
869
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
658
870
|
verbose: commonCliOptions.verbose
|
|
@@ -664,9 +876,9 @@ var handler5 = async (argv) => {
|
|
|
664
876
|
argv: __spreadValues({}, argv),
|
|
665
877
|
env: __spreadValues({}, process.env)
|
|
666
878
|
});
|
|
667
|
-
const envSource =
|
|
879
|
+
const envSource = import_node_path5.default.resolve(process.cwd(), argv.envFile);
|
|
668
880
|
if (!await fileExists(envSource)) {
|
|
669
|
-
error(`Could not open ${(0,
|
|
881
|
+
error(`Could not open ${(0, import_chalk6.redBright)(envSource)}`);
|
|
670
882
|
return;
|
|
671
883
|
}
|
|
672
884
|
const parsedEnv = (0, import_dotenv3.parse)(import_node_fs4.default.readFileSync(envSource, { encoding: "utf8" }));
|
|
@@ -677,6 +889,7 @@ var handler5 = async (argv) => {
|
|
|
677
889
|
},
|
|
678
890
|
verbose: argv.verbose
|
|
679
891
|
});
|
|
892
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
680
893
|
if (argv.verbose) {
|
|
681
894
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
682
895
|
const describeKeyCommand = new import_client_kms5.DescribeKeyCommand({
|
|
@@ -689,7 +902,7 @@ var handler5 = async (argv) => {
|
|
|
689
902
|
const encryptCommand = new import_client_kms5.EncryptCommand({
|
|
690
903
|
KeyId: argv.awsKeyAlias,
|
|
691
904
|
Plaintext: Buffer.from(value),
|
|
692
|
-
EncryptionAlgorithm:
|
|
905
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
693
906
|
});
|
|
694
907
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
695
908
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -705,7 +918,7 @@ var handler5 = async (argv) => {
|
|
|
705
918
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
706
919
|
return `${key}="${cipherText}"`;
|
|
707
920
|
}))).join("\n");
|
|
708
|
-
import_node_fs4.default.writeFileSync(
|
|
921
|
+
import_node_fs4.default.writeFileSync(import_node_path5.default.resolve(process.cwd(), argv.secFile), sec);
|
|
709
922
|
} catch (e) {
|
|
710
923
|
error(e);
|
|
711
924
|
}
|
|
@@ -720,16 +933,13 @@ __export(encryptSecretsJson_exports, {
|
|
|
720
933
|
handler: () => handler6
|
|
721
934
|
});
|
|
722
935
|
var import_node_fs5 = __toModule(require("node:fs"));
|
|
723
|
-
var
|
|
936
|
+
var import_node_path6 = __toModule(require("node:path"));
|
|
724
937
|
var import_client_kms6 = __toModule(require("@aws-sdk/client-kms"));
|
|
725
|
-
var
|
|
726
|
-
var
|
|
938
|
+
var import_chalk7 = __toModule(require("chalk"));
|
|
939
|
+
var import_flat3 = __toModule(require("flat"));
|
|
727
940
|
var command6 = "encrypt-secrets-json";
|
|
728
941
|
var desc6 = "Encrypts an unencrypted file";
|
|
729
942
|
var builder6 = {
|
|
730
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
731
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
732
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
733
943
|
"secrets-file": {
|
|
734
944
|
string: true,
|
|
735
945
|
describe: "filename of json file reading secrets",
|
|
@@ -740,29 +950,39 @@ var builder6 = {
|
|
|
740
950
|
describe: "filename of json file for writing encrypted secrets",
|
|
741
951
|
default: "secrets.encrypted.json"
|
|
742
952
|
},
|
|
743
|
-
"
|
|
953
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
954
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
955
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
956
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
957
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
744
958
|
verbose: commonCliOptions.verbose,
|
|
745
959
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
746
960
|
};
|
|
747
961
|
var handler6 = async (argv) => {
|
|
962
|
+
const config = await getConfig();
|
|
748
963
|
const { info, error } = getLogger();
|
|
749
964
|
try {
|
|
750
965
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
751
|
-
argv: __spreadValues({}, argv),
|
|
966
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
967
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
968
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
969
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
970
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
971
|
+
}),
|
|
752
972
|
env: __spreadValues({}, process.env)
|
|
753
973
|
});
|
|
754
|
-
const secretsPath =
|
|
974
|
+
const secretsPath = import_node_path6.default.resolve(process.cwd(), argv.secretsFile);
|
|
755
975
|
if (!await fileExists(secretsPath)) {
|
|
756
|
-
error(`Could not open ${(0,
|
|
976
|
+
error(`Could not open ${(0, import_chalk7.redBright)(secretsPath)}`);
|
|
757
977
|
return;
|
|
758
978
|
}
|
|
759
979
|
const secrets = JSON.parse(import_node_fs5.default.readFileSync(secretsPath, { encoding: "utf8" }));
|
|
760
980
|
if (!secrets.parameters) {
|
|
761
981
|
throw new Error(`Expected 'parameters' property, but got none`);
|
|
762
982
|
}
|
|
763
|
-
const flatParameters = (0,
|
|
983
|
+
const flatParameters = (0, import_flat3.default)(secrets.parameters, { delimiter: "/", maxDepth: config.maxDepth });
|
|
764
984
|
if (argv.verbose) {
|
|
765
|
-
|
|
985
|
+
info(flatParameters);
|
|
766
986
|
}
|
|
767
987
|
const kmsClient = getKMSClient({
|
|
768
988
|
configuration: {
|
|
@@ -771,19 +991,25 @@ var handler6 = async (argv) => {
|
|
|
771
991
|
},
|
|
772
992
|
verbose: argv.verbose
|
|
773
993
|
});
|
|
994
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
774
995
|
if (argv.verbose) {
|
|
775
|
-
info(`Encrypting using key alias ${bold(
|
|
996
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
776
997
|
const describeKeyCommand = new import_client_kms6.DescribeKeyCommand({
|
|
777
|
-
KeyId:
|
|
998
|
+
KeyId: awsKeyAlias
|
|
778
999
|
});
|
|
779
1000
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
780
|
-
|
|
1001
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
781
1002
|
}
|
|
1003
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
782
1004
|
const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
|
|
1005
|
+
let parameterCopy = parameter;
|
|
1006
|
+
if (typeof parameter !== "string" && typeof parameter !== "number" && typeof parameter !== "boolean") {
|
|
1007
|
+
parameterCopy = JSON.stringify(parameter);
|
|
1008
|
+
}
|
|
783
1009
|
const encryptCommand = new import_client_kms6.EncryptCommand({
|
|
784
|
-
KeyId:
|
|
785
|
-
Plaintext: Buffer.from(
|
|
786
|
-
EncryptionAlgorithm:
|
|
1010
|
+
KeyId: awsKeyAlias,
|
|
1011
|
+
Plaintext: Buffer.from(String(parameterCopy)),
|
|
1012
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
787
1013
|
});
|
|
788
1014
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
789
1015
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -799,12 +1025,12 @@ var handler6 = async (argv) => {
|
|
|
799
1025
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
800
1026
|
return [parameterName, cipherText];
|
|
801
1027
|
})));
|
|
802
|
-
const encryptedParameters =
|
|
1028
|
+
const encryptedParameters = import_flat3.default.unflatten(encryptedFlatParameters, { delimiter: "/" });
|
|
803
1029
|
const encryptedSecrets = {
|
|
804
1030
|
config: secrets.config,
|
|
805
1031
|
encryptedParameters
|
|
806
1032
|
};
|
|
807
|
-
const encryptedSecretsPath =
|
|
1033
|
+
const encryptedSecretsPath = import_node_path6.default.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
808
1034
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
809
1035
|
filePath: encryptedSecretsPath,
|
|
810
1036
|
skip: argv.yes
|
|
@@ -825,44 +1051,51 @@ __export(offloadToSSMCommand_exports, {
|
|
|
825
1051
|
desc: () => desc7,
|
|
826
1052
|
handler: () => handler7
|
|
827
1053
|
});
|
|
1054
|
+
var import_node_fs6 = __toModule(require("node:fs"));
|
|
1055
|
+
var import_node_path7 = __toModule(require("node:path"));
|
|
828
1056
|
var import_client_kms7 = __toModule(require("@aws-sdk/client-kms"));
|
|
829
1057
|
var import_client_ssm3 = __toModule(require("@aws-sdk/client-ssm"));
|
|
830
|
-
var
|
|
831
|
-
var
|
|
832
|
-
var import_node_fs6 = __toModule(require("node:fs"));
|
|
833
|
-
var import_node_path6 = __toModule(require("node:path"));
|
|
1058
|
+
var import_chalk8 = __toModule(require("chalk"));
|
|
1059
|
+
var import_flat4 = __toModule(require("flat"));
|
|
834
1060
|
var command7 = "offload-secrets-json-to-ssm";
|
|
835
1061
|
var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
|
|
836
1062
|
var builder7 = {
|
|
837
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
838
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
839
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
840
1063
|
"encrypted-secrets-file": {
|
|
841
1064
|
string: true,
|
|
842
|
-
describe: "filename of json file for
|
|
1065
|
+
describe: "filename of json file for writing encrypted secrets",
|
|
843
1066
|
default: "secrets.encrypted.json"
|
|
844
1067
|
},
|
|
845
|
-
"
|
|
1068
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
1069
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
1070
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
1071
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
1072
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
846
1073
|
verbose: commonCliOptions.verbose,
|
|
847
1074
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
848
1075
|
};
|
|
849
1076
|
var handler7 = async (argv) => {
|
|
1077
|
+
const config = await getConfig();
|
|
850
1078
|
const { info, error } = getLogger();
|
|
851
1079
|
try {
|
|
852
1080
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
853
|
-
argv: __spreadValues({}, argv),
|
|
1081
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
1082
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
1083
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
1084
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
1085
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
1086
|
+
}),
|
|
854
1087
|
env: __spreadValues({}, process.env)
|
|
855
1088
|
});
|
|
856
|
-
const encryptedSecretsPath =
|
|
1089
|
+
const encryptedSecretsPath = import_node_path7.default.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
857
1090
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
858
|
-
error(`Could not open ${(0,
|
|
1091
|
+
error(`Could not open ${(0, import_chalk8.redBright)(encryptedSecretsPath)}`);
|
|
859
1092
|
return;
|
|
860
1093
|
}
|
|
861
1094
|
const encryptedSecrets = JSON.parse(import_node_fs6.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
862
1095
|
if (!encryptedSecrets.encryptedParameters) {
|
|
863
1096
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
864
1097
|
}
|
|
865
|
-
const flatEncryptedParameters = (0,
|
|
1098
|
+
const flatEncryptedParameters = (0, import_flat4.default)(encryptedSecrets.encryptedParameters, { delimiter: "/" });
|
|
866
1099
|
const kmsClient = getKMSClient({
|
|
867
1100
|
configuration: {
|
|
868
1101
|
credentials: credentialsAndOrigin.value,
|
|
@@ -870,19 +1103,16 @@ var handler7 = async (argv) => {
|
|
|
870
1103
|
},
|
|
871
1104
|
verbose: argv.verbose
|
|
872
1105
|
});
|
|
1106
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
873
1107
|
if (argv.verbose) {
|
|
874
|
-
info(`Encrypting using key alias ${bold(
|
|
875
|
-
const describeKeyCommand = new import_client_kms7.DescribeKeyCommand({
|
|
876
|
-
KeyId: argv.awsKeyAlias
|
|
877
|
-
});
|
|
878
|
-
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
879
|
-
console.log("describeKeyResult", { describeKeyResult });
|
|
1108
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
880
1109
|
}
|
|
1110
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
881
1111
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
882
1112
|
const decryptCommand = new import_client_kms7.DecryptCommand({
|
|
883
1113
|
KeyId: argv.awsKeyAlias,
|
|
884
1114
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
885
|
-
EncryptionAlgorithm:
|
|
1115
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
886
1116
|
});
|
|
887
1117
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
888
1118
|
if (!decryptionResult.Plaintext) {
|