env-secrets 0.3.3 → 0.5.0

package/dist/vaults/secretsmanager-admin.js

@@ -0,0 +1,273 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteSecret = exports.getSecretString = exports.secretExists = exports.getSecretMetadata = exports.listSecrets = exports.updateSecret = exports.createSecret = exports.validateSecretName = void 0;
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const client_sts_1 = require("@aws-sdk/client-sts");
+const debug_1 = __importDefault(require("debug"));
+const aws_config_1 = require("./aws-config");
+const debug = (0, debug_1.default)('env-secrets:secretsmanager-admin');
+// Allowed characters are documented by AWS Secrets Manager naming rules.
+// See: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
+const SECRET_NAME_PATTERN = /^[A-Za-z0-9/_+=.@-]+$/;
+const formatDate = (value) => {
+    if (!value) {
+        return undefined;
+    }
+    return value.toISOString();
+};
+const parseTags = (tags) => {
+    if (!tags || tags.length === 0) {
+        return undefined;
+    }
+    return tags.map((tag) => {
+        const parts = tag.split('=');
+        if (parts.length < 2) {
+            throw new Error(`Invalid tag format: ${tag}. Use key=value.`);
+        }
+        const key = parts[0].trim();
+        const value = parts.slice(1).join('=').trim();
+        if (!key || !value) {
+            throw new Error(`Invalid tag format: ${tag}. Use key=value.`);
+        }
+        return { Key: key, Value: value };
+    });
+};
+const tagsToRecord = (tags) => {
+    if (!tags || tags.length === 0) {
+        return undefined;
+    }
+    const result = {};
+    for (const tag of tags) {
+        if (tag.Key && tag.Value) {
+            result[tag.Key] = tag.Value;
+        }
+    }
+    return Object.keys(result).length > 0 ? result : undefined;
+};
+const mapAwsError = (error, secretName) => {
+    const awsError = error;
+    const secretLabel = secretName ? ` for "${secretName}"` : '';
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'AlreadyExistsException') {
+        throw new Error(`Secret${secretLabel} already exists.`);
+    }
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'ResourceNotFoundException') {
+        throw new Error(`Secret${secretLabel} was not found.`);
+    }
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'InvalidRequestException') {
+        throw new Error(awsError.message || 'Invalid request to AWS Secrets Manager.');
+    }
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'AccessDeniedException') {
+        throw new Error(awsError.message ||
+            'Access denied while calling AWS Secrets Manager. Verify IAM permissions.');
+    }
+    if (awsError === null || awsError === void 0 ? void 0 : awsError.message) {
+        throw new Error(awsError.message);
+    }
+    throw new Error(String(error));
+};
+const ensureConnected = (clientConfig) => __awaiter(void 0, void 0, void 0, function* () {
+    const stsClient = new client_sts_1.STSClient(clientConfig);
+    yield stsClient.send(new client_sts_1.GetCallerIdentityCommand({}));
+});
+const createClient = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    const config = (0, aws_config_1.buildAwsClientConfig)(options);
+    debug('Creating AWS clients', {
+        hasProfile: Boolean(options.profile),
+        region: options.region,
+        hasEndpoint: Boolean(config.endpoint)
+    });
+    yield ensureConnected(config);
+    return new client_secrets_manager_1.SecretsManagerClient(config);
+});
+const validateSecretName = (name) => {
+    if (!SECRET_NAME_PATTERN.test(name)) {
+        throw new Error(`Invalid secret name "${name}". Use only letters, numbers, and /_+=.@- characters.`);
+    }
+};
+exports.validateSecretName = validateSecretName;
+const createSecret = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    (0, exports.validateSecretName)(options.name);
+    debug('createSecret called', {
+        name: options.name,
+        hasTags: !!((_a = options.tags) === null || _a === void 0 ? void 0 : _a.length)
+    });
+    const client = yield createClient(options);
+    const tags = parseTags(options.tags);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.CreateSecretCommand({
+            Name: options.name,
+            Description: options.description,
+            SecretString: options.value,
+            KmsKeyId: options.kmsKeyId,
+            Tags: tags
+        }));
+        return {
+            arn: result.ARN,
+            name: result.Name,
+            versionId: result.VersionId
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.createSecret = createSecret;
+const updateSecret = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('updateSecret called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.UpdateSecretCommand({
+            SecretId: options.name,
+            Description: options.description,
+            SecretString: options.value,
+            KmsKeyId: options.kmsKeyId
+        }));
+        return {
+            arn: result.ARN,
+            name: result.Name,
+            versionId: result.VersionId
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.updateSecret = updateSecret;
+const listSecrets = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _b;
+    debug('listSecrets called', {
+        prefix: options.prefix,
+        hasTags: !!((_b = options.tags) === null || _b === void 0 ? void 0 : _b.length)
+    });
+    const client = yield createClient(options);
+    const requiredTags = parseTags(options.tags);
+    const secrets = [];
+    try {
+        let nextToken;
+        do {
+            const result = yield client.send(new client_secrets_manager_1.ListSecretsCommand({ NextToken: nextToken }));
+            for (const secret of result.SecretList || []) {
+                if (options.prefix &&
+                    secret.Name &&
+                    !secret.Name.startsWith(options.prefix)) {
+                    continue;
+                }
+                if (requiredTags && requiredTags.length > 0) {
+                    const available = tagsToRecord(secret.Tags);
+                    const matchesAll = requiredTags.every((tag) => tag.Key && tag.Value && (available === null || available === void 0 ? void 0 : available[tag.Key]) === tag.Value);
+                    if (!matchesAll) {
+                        continue;
+                    }
+                }
+                secrets.push({
+                    name: secret.Name || '',
+                    arn: secret.ARN,
+                    description: secret.Description,
+                    lastChangedDate: formatDate(secret.LastChangedDate)
+                });
+            }
+            nextToken = result.NextToken;
+        } while (nextToken);
+    }
+    catch (error) {
+        return mapAwsError(error);
+    }
+    return secrets;
+});
+exports.listSecrets = listSecrets;
+const getSecretMetadata = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('getSecretMetadata called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.DescribeSecretCommand({ SecretId: options.name }));
+        return {
+            name: result.Name,
+            arn: result.ARN,
+            description: result.Description,
+            kmsKeyId: result.KmsKeyId,
+            deletedDate: formatDate(result.DeletedDate),
+            lastChangedDate: formatDate(result.LastChangedDate),
+            lastAccessedDate: formatDate(result.LastAccessedDate),
+            createdDate: formatDate(result.CreatedDate),
+            versionIdsToStages: result.VersionIdsToStages,
+            tags: tagsToRecord(result.Tags)
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.getSecretMetadata = getSecretMetadata;
+const secretExists = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('secretExists called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        yield client.send(new client_secrets_manager_1.DescribeSecretCommand({ SecretId: options.name }));
+        return true;
+    }
+    catch (error) {
+        const awsError = error;
+        if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'ResourceNotFoundException') {
+            return false;
+        }
+        return mapAwsError(error, options.name);
+    }
+});
+exports.secretExists = secretExists;
+const getSecretString = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('getSecretString called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.GetSecretValueCommand({ SecretId: options.name }));
+        if (typeof result.SecretString !== 'string') {
+            throw new Error(`Secret "${options.name}" is not stored as a string value and cannot be edited with append/remove.`);
+        }
+        return result.SecretString;
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.getSecretString = getSecretString;
+const deleteSecret = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('deleteSecret called', {
+        name: options.name,
+        recoveryDays: options.recoveryDays,
+        forceDeleteWithoutRecovery: options.forceDeleteWithoutRecovery
+    });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.DeleteSecretCommand({
+            SecretId: options.name,
+            RecoveryWindowInDays: options.recoveryDays,
+            ForceDeleteWithoutRecovery: options.forceDeleteWithoutRecovery
+        }));
+        return {
+            arn: result.ARN,
+            name: result.Name,
+            deletedDate: formatDate(result.DeletionDate)
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.deleteSecret = deleteSecret;

package/dist/vaults/secretsmanager.js

@@ -15,8 +15,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.secretsmanager = void 0;
 const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
 const client_sts_1 = require("@aws-sdk/client-sts");
-const credential_providers_1 = require("@aws-sdk/credential-providers");
 const debug_1 = __importDefault(require("debug"));
+const aws_config_1 = require("./aws-config");
 const debug = (0, debug_1.default)('env-secrets:secretsmanager');
 const isCredentialsError = (error) => {
     if (!error || typeof error !== 'object') {
@@ -25,8 +25,8 @@ const isCredentialsError = (error) => {
     const errorName = 'name' in error ? error.name : undefined;
     return (errorName === 'CredentialsError' || errorName === 'CredentialsProviderError');
 };
-const checkConnection = (region, credentials) => __awaiter(void 0, void 0, void 0, function* () {
-    const stsClient = new client_sts_1.STSClient({ region, credentials });
+const checkConnection = (config) => __awaiter(void 0, void 0, void 0, function* () {
+    const stsClient = new client_sts_1.STSClient(config);
     const command = new client_sts_1.GetCallerIdentityCommand({});
     try {
         const data = yield stsClient.send(command);
@@ -46,28 +46,20 @@ const checkConnection = (region, credentials) => __awaiter(void 0, void 0, void
 });
 const secretsmanager = (options) => __awaiter(void 0, void 0, void 0, function* () {
     const { secret, profile, region } = options;
-    const { AWS_ACCESS_KEY_ID: awsAccessKeyId, AWS_SECRET_ACCESS_KEY: awsSecretAccessKey } = process.env;
-    let credentials;
+    const config = (0, aws_config_1.buildAwsClientConfig)({ profile, region });
     if (profile) {
         debug(`Using profile: ${profile}`);
-        credentials = (0, credential_providers_1.fromIni)({ profile });
     }
-    else if (awsAccessKeyId && awsSecretAccessKey) {
-        debug('Using environment variables');
-        credentials = undefined; // Will use environment variables automatically
+    else if (config.credentials) {
+        debug('Using profile: default');
     }
     else {
-        debug('Using profile: default');
-        credentials = (0, credential_providers_1.fromIni)({ profile: 'default' });
+        debug('Using environment variables');
     }
-    const config = {
-        region,
-        credentials
-    };
     if (!config.region) {
         debug('no region set');
     }
-    const connected = yield checkConnection(region, credentials);
+    const connected = yield checkConnection(config);
     if (connected) {
         const client = new client_secrets_manager_1.SecretsManagerClient(config);
         try {

package/docs/AWS.md

@@ -120,7 +120,7 @@ env-secrets aws -s my-secret-name -r us-east-1 -- node app.js
 
 ## Required Permissions
 
-Your AWS credentials must have the following permissions to use Secrets Manager:
+Your AWS credentials must have the following permissions to use secret injection and secret management commands:
 
 ```json
 {
@@ -128,7 +128,14 @@ Your AWS credentials must have the following permissions to use Secrets Manager:
   "Statement": [
     {
       "Effect": "Allow",
-      "Action": ["secretsmanager:GetSecretValue"],
+      "Action": [
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:CreateSecret",
+        "secretsmanager:UpdateSecret",
+        "secretsmanager:ListSecrets",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:DeleteSecret"
+      ],
       "Resource": "arn:aws:secretsmanager:*:*:secret:*"
     },
     {
@@ -140,6 +147,126 @@ Your AWS credentials must have the following permissions to use Secrets Manager:
 }
 ```
 
+## Secret Management Commands
+
+In addition to injecting variables into a process, `env-secrets` can manage AWS secrets directly:
+
+- `env-secrets aws secret create`
+- `env-secrets aws secret update`
+- `env-secrets aws secret append`
+- `env-secrets aws secret remove`
+- `env-secrets aws secret upsert` (alias: `import`)
+- `env-secrets aws secret list`
+- `env-secrets aws secret get`
+- `env-secrets aws secret delete`
+
+`aws secret` subcommands consistently honor `--region`, `--profile`, and `--output`.
+Use these options directly with each subcommand.
+
+### `aws -s` vs `aws secret ...`
+
+- `env-secrets aws -s <secret-name> -- <command>`: retrieves a secret value and injects it into the environment for the spawned process (or use `-o <file>` to write exports to a file).
+- `env-secrets aws secret ...`: management commands only (`create`, `update`, `append`, `remove`, `upsert/import`, `list`, `get`, `delete`).
+
+Example:
+
+```bash
+# inject secret values
+env-secrets aws -s my-app/dev/api -r us-east-1 -- node app.js
+
+# manage secrets
+env-secrets aws secret get -n my-app/dev/api -r us-east-1 --output json
+```
+
+### Load secrets into your current shell
+
+`env-secrets aws -s ... -- <command>` injects variables into the spawned child process only.
+If you want variables in your current shell session, write exports to a file and source it:
+
+```bash
+env-secrets aws -s my-app/dev/api -r us-east-1 -o secrets.env
+source secrets.env
+```
+
+### Secret Management Examples
+
+1. **Create a secret with inline value:**
+
+   ```bash
+   env-secrets aws secret create \
+     -n my-app/dev/api \
+     -v '{"API_KEY":"abc123"}' \
+     -r us-east-1 \
+     --output json
+   ```
+
+2. **Create from stdin (recommended for sensitive values):**
+
+   ```bash
+   echo -n 'super-secret-value' | env-secrets aws secret create -n my-app/dev/raw --value-stdin -r us-east-1
+   ```
+
+3. **Update an existing secret value:**
+
+   ```bash
+   env-secrets aws secret update -n my-app/dev/api -v '{"API_KEY":"rotated"}' -r us-east-1
+   ```
+
+4. **Upsert from an env file into one JSON secret (`export KEY=value` or `KEY=value`):**
+
+   ```bash
+   env-secrets aws secret upsert --file .env --name my-app/dev -r us-east-1 --output json
+   # alias:
+   env-secrets aws secret import --file .env --name my-app/dev -r us-east-1 --output json
+   ```
+
+   This creates/updates one secret named `my-app/dev` with a JSON payload like:
+
+   ```json
+   { "API_KEY": "abc123", "DATABASE_URL": "postgres://..." }
+   ```
+
+5. **Append/remove keys in an existing JSON secret:**
+
+   ```bash
+   env-secrets aws secret append -n my-app/dev --key JIRA_EMAIL_TOKEN -v blah -r us-east-1
+   env-secrets aws secret remove -n my-app/dev --key OLD_TOKEN -r us-east-1
+   ```
+
+6. **List secrets by prefix:**
+
+   ```bash
+   env-secrets aws secret list --prefix my-app/dev -r us-east-1 --output table
+   ```
+
+   Multi-region validation example:
+
+   ```bash
+   env-secrets aws secret list --prefix my-app/dev -r us-west-2 --output json
+   env-secrets aws secret list --prefix my-app/dev -r us-east-1 --output json
+   ```
+
+7. **Get metadata and version info (without printing secret value):**
+
+   ```bash
+   env-secrets aws secret get -n my-app/dev/api -r us-east-1 --output json
+   ```
+
+8. **Delete with explicit confirmation:**
+
+   ```bash
+   env-secrets aws secret delete -n my-app/dev/raw --recovery-days 7 --yes -r us-east-1
+   ```
+
+### Secret Management Safety Notes
+
+- `delete` requires `--yes`.
+- `create`/`update` accept `--value`, `--value-stdin`, or `--file` (use only one).
+- `append` and `remove` require the secret value to be a JSON object.
+- `upsert/import --file --name` parses `export KEY=value` and `KEY=value`, stores them as one JSON secret object, ignores blank lines/comments, and reports `created`, `updated`, `skipped`, and `failed`.
+- Use `--value-stdin` to avoid shell history leakage for sensitive values.
+- Use either `--recovery-days` or `--force-delete-without-recovery` for delete operations.
+
 ## Examples
 
 ### Basic Usage

package/jest.e2e.config.js

@@ -4,5 +4,6 @@ module.exports = {
   preset: 'ts-jest',
   testEnvironment: 'node',
   setupFilesAfterEnv: ['<rootDir>/__e2e__/setup.ts'],
+  testMatch: ['<rootDir>/__e2e__/**/*.test.ts'],
   testTimeout: 30000 // 30 seconds timeout for e2e tests
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "env-secrets",
-  "version": "0.3.3",
+  "version": "0.5.0",
   "description": "get secrets from a secrets vault and inject them into the running environment",
   "main": "index.js",
   "author": "Mark C Allen (@markcallen)",
@@ -52,9 +52,9 @@
     "typescript": "^4.9.5"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.990.0",
-    "@aws-sdk/client-sts": "^3.990.0",
-    "@aws-sdk/credential-providers": "^3.990.0",
+    "@aws-sdk/client-secrets-manager": "^3.996.0",
+    "@aws-sdk/client-sts": "^3.996.0",
+    "@aws-sdk/credential-providers": "^3.996.0",
     "commander": "^9.5.0",
     "debug": "^4.4.3"
   },
@@ -64,7 +64,7 @@
       "eslint --fix"
     ],
     "**/*.ts": [
-      "tsc-files --noEmit --project src/tsconfig.json",
+      "bash -lc 'tsc --noEmit --project src/tsconfig.json'",
       "prettier --write",
       "eslint --fix"
     ],