env-secrets 0.4.0 → 0.5.0

package/dist/index.js

@@ -30,6 +30,19 @@ const exitWithError = (error) => {
     console.error(error instanceof Error ? error.message : String(error));
     process.exit(1);
 };
+const parseSecretJsonObject = (secretName, value) => {
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch (_a) {
+        throw new Error(`Secret "${secretName}" is not valid JSON. append/remove requires a JSON object secret.`);
+    }
+    if (!parsed || Array.isArray(parsed) || typeof parsed !== 'object') {
+        throw new Error(`Secret "${secretName}" must be a JSON object. append/remove does not support arrays or scalar values.`);
+    }
+    return parsed;
+};
 // main program
 program
     .name('env-secrets')
@@ -92,6 +105,7 @@ secretCommand
     .requiredOption('-n, --name <name>', 'secret name')
     .option('-v, --value <value>', 'secret value')
     .option('--value-stdin', 'read secret value from stdin')
+    .option('-f, --file <path>', 'read secret value from local file')
     .option('-d, --description <description>', 'secret description')
     .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
     .option('-t, --tag <tag...>', 'tag in key=value format')
@@ -106,9 +120,9 @@ secretCommand
         const output = (_a = options.output) !== null && _a !== void 0 ? _a : (typeof globalOptions.output === 'string'
             ? globalOptions.output
             : 'table');
-        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin);
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value) {
-            throw new Error('Secret value is required. Provide --value or --value-stdin.');
+            throw new Error('Secret value is required. Provide --value, --value-stdin, or --file.');
         }
         const result = yield (0, secretsmanager_admin_1.createSecret)({
             name: options.name,
@@ -135,6 +149,7 @@ secretCommand
     .requiredOption('-n, --name <name>', 'secret name')
     .option('-v, --value <value>', 'new secret value')
     .option('--value-stdin', 'read secret value from stdin')
+    .option('-f, --file <path>', 'read secret value from local file')
     .option('-d, --description <description>', 'secret description')
     .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
     .option('-p, --profile <profile>', 'profile to use')
@@ -148,9 +163,9 @@ secretCommand
         const output = (_b = options.output) !== null && _b !== void 0 ? _b : (typeof globalOptions.output === 'string'
             ? globalOptions.output
             : 'table');
-        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin);
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value && !options.description && !options.kmsKeyId) {
-            throw new Error('Nothing to update. Provide --value/--value-stdin, --description, or --kms-key-id.');
+            throw new Error('Nothing to update. Provide --value/--value-stdin/--file, --description, or --kms-key-id.');
         }
         const result = yield (0, secretsmanager_admin_1.updateSecret)({
             name: options.name,
@@ -170,6 +185,226 @@ secretCommand
         exitWithError(error);
     }
 }));
+secretCommand
+    .command('upsert')
+    .alias('import')
+    .description('create or update a secret from a local env file')
+    .requiredOption('-f, --file <path>', 'path to env file')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-d, --description <description>', 'secret description')
+    .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+    .option('-t, --tag <tag...>', 'tag in key=value format (applies on create)')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _c;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_c = options.output) !== null && _c !== void 0 ? _c : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const parsed = yield (0, helpers_1.parseEnvSecretsFile)(options.file);
+        if (parsed.entries.length === 0) {
+            throw new Error('No env entries found. Include lines like KEY=value or export KEY=value.');
+        }
+        const payload = Object.fromEntries(parsed.entries.map((entry) => [entry.key, entry.value]));
+        const value = JSON.stringify(payload);
+        const rows = [];
+        let created = 0;
+        let updated = 0;
+        let failed = 0;
+        const skipped = parsed.skipped.length;
+        for (const skip of parsed.skipped) {
+            rows.push({
+                name: options.name,
+                status: 'skipped',
+                line: String(skip.line),
+                message: `${skip.reason}: ${skip.key}`
+            });
+        }
+        try {
+            try {
+                yield (0, secretsmanager_admin_1.createSecret)({
+                    name: options.name,
+                    value,
+                    description: options.description,
+                    kmsKeyId: options.kmsKeyId,
+                    tags: options.tag,
+                    profile,
+                    region
+                });
+                created += 1;
+                rows.push({
+                    name: options.name,
+                    status: 'created',
+                    message: `imported ${parsed.entries.length} keys`
+                });
+            }
+            catch (createError) {
+                const message = createError instanceof Error
+                    ? createError.message
+                    : String(createError);
+                if (!/already exists/i.test(message)) {
+                    throw createError;
+                }
+                yield (0, secretsmanager_admin_1.updateSecret)({
+                    name: options.name,
+                    value,
+                    description: options.description,
+                    kmsKeyId: options.kmsKeyId,
+                    profile,
+                    region
+                });
+                updated += 1;
+                rows.push({
+                    name: options.name,
+                    status: 'updated',
+                    message: `imported ${parsed.entries.length} keys`
+                });
+            }
+        }
+        catch (error) {
+            failed += 1;
+            rows.push({
+                name: options.name,
+                status: 'failed',
+                message: error instanceof Error ? error.message : String(error)
+            });
+        }
+        const summary = { created, updated, skipped, failed };
+        if (output === 'json') {
+            // eslint-disable-next-line no-console
+            console.log(JSON.stringify({ summary, results: rows }, null, 2));
+            if (failed > 0) {
+                process.exitCode = 1;
+            }
+            return;
+        }
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'status', label: 'Status' },
+            { key: 'line', label: 'Line' },
+            { key: 'message', label: 'Message' }
+        ], rows);
+        // eslint-disable-next-line no-console
+        console.log(`Summary: created=${created}, updated=${updated}, skipped=${skipped}, failed=${failed}`);
+        if (failed > 0) {
+            process.exitCode = 1;
+        }
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('append')
+    .description('append or overwrite one key in an existing JSON secret')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .requiredOption('--key <key>', 'key to append/update')
+    .option('-v, --value <value>', 'value for the key')
+    .option('--value-stdin', 'read value from stdin')
+    .option('-f, --file <path>', 'read value from local file')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _d;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_d = options.output) !== null && _d !== void 0 ? _d : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
+        if (!value) {
+            throw new Error('Append value is required. Provide --value, --value-stdin, or --file.');
+        }
+        const current = yield (0, secretsmanager_admin_1.getSecretString)({
+            name: options.name,
+            profile,
+            region
+        });
+        const payload = parseSecretJsonObject(options.name, current);
+        payload[options.key] = value;
+        const result = yield (0, secretsmanager_admin_1.updateSecret)({
+            name: options.name,
+            value: JSON.stringify(payload),
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' },
+            { key: 'key', label: 'Key' },
+            { key: 'action', label: 'Action' }
+        ], [
+            Object.assign(Object.assign({}, result), { key: options.key, action: 'appended' })
+        ]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('remove')
+    .description('remove one or more keys from an existing JSON secret')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .requiredOption('--key <key...>', 'one or more keys to remove')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _e;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_e = options.output) !== null && _e !== void 0 ? _e : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const keys = options.key;
+        const current = yield (0, secretsmanager_admin_1.getSecretString)({
+            name: options.name,
+            profile,
+            region
+        });
+        const payload = parseSecretJsonObject(options.name, current);
+        const removed = [];
+        const missing = [];
+        for (const key of keys) {
+            if (Object.prototype.hasOwnProperty.call(payload, key)) {
+                delete payload[key];
+                removed.push(key);
+            }
+            else {
+                missing.push(key);
+            }
+        }
+        if (removed.length === 0) {
+            throw new Error(`None of the requested keys exist in secret "${options.name}".`);
+        }
+        const result = yield (0, secretsmanager_admin_1.updateSecret)({
+            name: options.name,
+            value: JSON.stringify(payload),
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' },
+            { key: 'removed', label: 'RemovedKeys' },
+            { key: 'missing', label: 'MissingKeys' }
+        ], [
+            Object.assign(Object.assign({}, result), { removed: removed.join(','), missing: missing.join(',') })
+        ]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
 secretCommand
     .command('list')
     .description('list secrets in AWS Secrets Manager')
@@ -179,11 +414,11 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _c;
+    var _f;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
         const globalOptions = command.optsWithGlobals();
-        const output = (_c = options.output) !== null && _c !== void 0 ? _c : (typeof globalOptions.output === 'string'
+        const output = (_f = options.output) !== null && _f !== void 0 ? _f : (typeof globalOptions.output === 'string'
             ? globalOptions.output
             : 'table');
         const result = yield (0, secretsmanager_admin_1.listSecrets)({
@@ -215,11 +450,11 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _d;
+    var _g;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
         const globalOptions = command.optsWithGlobals();
-        const output = (_d = options.output) !== null && _d !== void 0 ? _d : (typeof globalOptions.output === 'string'
+        const output = (_g = options.output) !== null && _g !== void 0 ? _g : (typeof globalOptions.output === 'string'
             ? globalOptions.output
             : 'table');
         const result = yield (0, secretsmanager_admin_1.getSecretMetadata)({
@@ -261,11 +496,11 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _e;
+    var _h;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
         const globalOptions = command.optsWithGlobals();
-        const output = (_e = options.output) !== null && _e !== void 0 ? _e : (typeof globalOptions.output === 'string'
+        const output = (_h = options.output) !== null && _h !== void 0 ? _h : (typeof globalOptions.output === 'string'
             ? globalOptions.output
             : 'table');
         if (!options.yes) {

package/dist/vaults/secretsmanager-admin.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.deleteSecret = exports.getSecretMetadata = exports.listSecrets = exports.updateSecret = exports.createSecret = exports.validateSecretName = void 0;
+exports.deleteSecret = exports.getSecretString = exports.secretExists = exports.getSecretMetadata = exports.listSecrets = exports.updateSecret = exports.createSecret = exports.validateSecretName = void 0;
 const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
 const client_sts_1 = require("@aws-sdk/client-sts");
 const debug_1 = __importDefault(require("debug"));
@@ -213,6 +213,39 @@ const getSecretMetadata = (options) => __awaiter(void 0, void 0, void 0, functio
     }
 });
 exports.getSecretMetadata = getSecretMetadata;
+const secretExists = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('secretExists called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        yield client.send(new client_secrets_manager_1.DescribeSecretCommand({ SecretId: options.name }));
+        return true;
+    }
+    catch (error) {
+        const awsError = error;
+        if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'ResourceNotFoundException') {
+            return false;
+        }
+        return mapAwsError(error, options.name);
+    }
+});
+exports.secretExists = secretExists;
+const getSecretString = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('getSecretString called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.GetSecretValueCommand({ SecretId: options.name }));
+        if (typeof result.SecretString !== 'string') {
+            throw new Error(`Secret "${options.name}" is not stored as a string value and cannot be edited with append/remove.`);
+        }
+        return result.SecretString;
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.getSecretString = getSecretString;
 const deleteSecret = (options) => __awaiter(void 0, void 0, void 0, function* () {
     (0, exports.validateSecretName)(options.name);
     debug('deleteSecret called', {

package/docs/AWS.md

@@ -153,6 +153,9 @@ In addition to injecting variables into a process, `env-secrets` can manage AWS
 
 - `env-secrets aws secret create`
 - `env-secrets aws secret update`
+- `env-secrets aws secret append`
+- `env-secrets aws secret remove`
+- `env-secrets aws secret upsert` (alias: `import`)
 - `env-secrets aws secret list`
 - `env-secrets aws secret get`
 - `env-secrets aws secret delete`
@@ -160,6 +163,31 @@ In addition to injecting variables into a process, `env-secrets` can manage AWS
 `aws secret` subcommands consistently honor `--region`, `--profile`, and `--output`.
 Use these options directly with each subcommand.
 
+### `aws -s` vs `aws secret ...`
+
+- `env-secrets aws -s <secret-name> -- <command>`: retrieves a secret value and injects it into the environment for the spawned process (or use `-o <file>` to write exports to a file).
+- `env-secrets aws secret ...`: management commands only (`create`, `update`, `append`, `remove`, `upsert/import`, `list`, `get`, `delete`).
+
+Example:
+
+```bash
+# inject secret values
+env-secrets aws -s my-app/dev/api -r us-east-1 -- node app.js
+
+# manage secrets
+env-secrets aws secret get -n my-app/dev/api -r us-east-1 --output json
+```
+
+### Load secrets into your current shell
+
+`env-secrets aws -s ... -- <command>` injects variables into the spawned child process only.
+If you want variables in your current shell session, write exports to a file and source it:
+
+```bash
+env-secrets aws -s my-app/dev/api -r us-east-1 -o secrets.env
+source secrets.env
+```
+
 ### Secret Management Examples
 
 1. **Create a secret with inline value:**
@@ -184,7 +212,28 @@ Use these options directly with each subcommand.
    env-secrets aws secret update -n my-app/dev/api -v '{"API_KEY":"rotated"}' -r us-east-1
    ```
 
-4. **List secrets by prefix:**
+4. **Upsert from an env file into one JSON secret (`export KEY=value` or `KEY=value`):**
+
+   ```bash
+   env-secrets aws secret upsert --file .env --name my-app/dev -r us-east-1 --output json
+   # alias:
+   env-secrets aws secret import --file .env --name my-app/dev -r us-east-1 --output json
+   ```
+
+   This creates/updates one secret named `my-app/dev` with a JSON payload like:
+
+   ```json
+   { "API_KEY": "abc123", "DATABASE_URL": "postgres://..." }
+   ```
+
+5. **Append/remove keys in an existing JSON secret:**
+
+   ```bash
+   env-secrets aws secret append -n my-app/dev --key JIRA_EMAIL_TOKEN -v blah -r us-east-1
+   env-secrets aws secret remove -n my-app/dev --key OLD_TOKEN -r us-east-1
+   ```
+
+6. **List secrets by prefix:**
 
    ```bash
    env-secrets aws secret list --prefix my-app/dev -r us-east-1 --output table
@@ -197,13 +246,13 @@ Use these options directly with each subcommand.
    env-secrets aws secret list --prefix my-app/dev -r us-east-1 --output json
    ```
 
-5. **Get metadata and version info (without printing secret value):**
+7. **Get metadata and version info (without printing secret value):**
 
    ```bash
    env-secrets aws secret get -n my-app/dev/api -r us-east-1 --output json
    ```
 
-6. **Delete with explicit confirmation:**
+8. **Delete with explicit confirmation:**
 
    ```bash
    env-secrets aws secret delete -n my-app/dev/raw --recovery-days 7 --yes -r us-east-1
@@ -212,6 +261,9 @@ Use these options directly with each subcommand.
 ### Secret Management Safety Notes
 
 - `delete` requires `--yes`.
+- `create`/`update` accept `--value`, `--value-stdin`, or `--file` (use only one).
+- `append` and `remove` require the secret value to be a JSON object.
+- `upsert/import --file --name` parses `export KEY=value` and `KEY=value`, stores them as one JSON secret object, ignores blank lines/comments, and reports `created`, `updated`, `skipped`, and `failed`.
 - Use `--value-stdin` to avoid shell history leakage for sensitive values.
 - Use either `--recovery-days` or `--force-delete-without-recovery` for delete operations.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "env-secrets",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "get secrets from a secrets vault and inject them into the running environment",
   "main": "index.js",
   "author": "Mark C Allen (@markcallen)",
@@ -52,9 +52,9 @@
     "typescript": "^4.9.5"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.990.0",
-    "@aws-sdk/client-sts": "^3.990.0",
-    "@aws-sdk/credential-providers": "^3.990.0",
+    "@aws-sdk/client-secrets-manager": "^3.996.0",
+    "@aws-sdk/client-sts": "^3.996.0",
+    "@aws-sdk/credential-providers": "^3.996.0",
     "commander": "^9.5.0",
     "debug": "^4.4.3"
   },

package/src/cli/helpers.ts

@@ -1,8 +1,19 @@
+import { readFile } from 'node:fs/promises';
+
 export type OutputFormat = 'json' | 'table';
 export interface AwsScopeOptions {
   profile?: string;
   region?: string;
 }
+export interface EnvSecretEntry {
+  key: string;
+  value: string;
+  line: number;
+}
+export interface ParsedEnvSecrets {
+  entries: EnvSecretEntry[];
+  skipped: Array<{ key: string; line: number; reason: string }>;
+}
 
 interface CommandLikeWithGlobalOpts {
   optsWithGlobals?: () => Record<string, unknown>;
@@ -105,10 +116,18 @@ export const readStdin = async (stdin: NodeJS.ReadStream = process.stdin) => {
 
 export const resolveSecretValue = async (
   value?: string,
-  valueStdin?: boolean
+  valueStdin?: boolean,
+  valueFile?: string
 ): Promise<string | undefined> => {
-  if (value && valueStdin) {
-    throw new Error('Use either --value or --value-stdin, not both.');
+  const providedSources = [
+    value !== undefined,
+    valueStdin === true,
+    valueFile !== undefined
+  ].filter(Boolean).length;
+  if (providedSources > 1) {
+    throw new Error(
+      'Use only one secret value source: --value, --value-stdin, or --file.'
+    );
   }
 
   if (valueStdin) {
@@ -120,9 +139,85 @@ export const resolveSecretValue = async (
     return await readStdin();
   }
 
+  if (valueFile) {
+    const content = await readFile(valueFile, 'utf8');
+    return content.replace(/\r?\n$/, '');
+  }
+
   return value;
 };
 
+const parseEnvLine = (
+  line: string,
+  lineNumber: number
+): { key: string; value: string } | undefined => {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith('#')) {
+    return undefined;
+  }
+
+  const candidate = trimmed.startsWith('export ')
+    ? trimmed.slice('export '.length).trimStart()
+    : trimmed;
+  const separatorIndex = candidate.indexOf('=');
+
+  if (separatorIndex <= 0) {
+    throw new Error(
+      `Malformed env line ${lineNumber}. Expected KEY=value or export KEY=value.`
+    );
+  }
+
+  const key = candidate.slice(0, separatorIndex).trim();
+  const value = candidate.slice(separatorIndex + 1).trim();
+
+  if (!key) {
+    throw new Error(
+      `Malformed env line ${lineNumber}. Expected KEY=value or export KEY=value.`
+    );
+  }
+
+  return { key, value };
+};
+
+export const parseEnvSecrets = (content: string): ParsedEnvSecrets => {
+  const seenKeys = new Set<string>();
+  const entries: EnvSecretEntry[] = [];
+  const skipped: Array<{ key: string; line: number; reason: string }> = [];
+
+  const lines = content.split(/\r?\n/);
+  for (let index = 0; index < lines.length; index += 1) {
+    const parsed = parseEnvLine(lines[index], index + 1);
+    if (!parsed) {
+      continue;
+    }
+
+    if (seenKeys.has(parsed.key)) {
+      skipped.push({
+        key: parsed.key,
+        line: index + 1,
+        reason: 'duplicate key'
+      });
+      continue;
+    }
+
+    seenKeys.add(parsed.key);
+    entries.push({
+      key: parsed.key,
+      value: parsed.value,
+      line: index + 1
+    });
+  }
+
+  return { entries, skipped };
+};
+
+export const parseEnvSecretsFile = async (
+  path: string
+): Promise<ParsedEnvSecrets> => {
+  const content = await readFile(path, 'utf8');
+  return parseEnvSecrets(content);
+};
+
 export const resolveAwsScope = (
   options: AwsScopeOptions,
   command?: CommandLikeWithGlobalOpts