-
Notifications
You must be signed in to change notification settings - Fork 153
/
Copy pathdecrypt_creds.py
89 lines (71 loc) · 3.22 KB
/
decrypt_creds.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
"""
ADD WHATEVER CODE YOU NEED TO DO HERE TO DECRYPT CREDENTIALS FOR USE OF YOUR BOT!
"""
def get_credentials():
# Here is a KMS example: (uncomment to make work)
# return kms_decrypt()
# For Docker, encryption is assumed to be happening outside of this, and the secrets
# are instead being passed in as environment variables:
import os
creds = {
# Minimum
"SLACK": os.environ["SLACK_TOKEN"],
# Optional:
"GITHUB": os.environ.get("GITHUB_TOKEN"),
# These are named the same as the env var, but these are the env vars should you
# want to leverage the feature:
# "TRAVIS_PRO_USER": os.environ.get("TRAVIS_PRO_USER"),
# "TRAVIS_PRO_ID": os.environ.get("TRAVIS_PRO_ID"),
# "TRAVIS_PRO_TOKEN": os.environ.get("TRAVIS_PRO_TOKEN"),
# "TRAVIS_PUBLIC_USER": os.environ.get("TRAVIS_PUBLIC_USER"),
# "TRAVIS_PUBLIC_ID": os.environ.get("TRAVIS_PUBLIC_ID"),
# "TRAVIS_PUBLIC_TOKEN": os.environ.get("TRAVIS_PUBLIC_TOKEN"),
# DUO_...NAME_OF_DUO_CRED: "domain-that-is-duod.com,duo_host,duo_ikey,duo_skey"
# ADD MORE HERE...
}
# Just adds the rest for freely-named ones (Like for Duo):
for variable, value in os.environ.items():
creds[variable] = value
return creds
# def kms_decrypt():
# """
# This is a method to decrypt credentials utilizing on-instance credentials
# for AWS KMS. Please review AWS documentation for details.
#
# The secret should be a JSON blob of the secrets that are required.
# :return: A Dict with the secrets in them.
# """
# import boto3
# import base64
# import json
# from config import KMS_REGION, KMS_CIPHERTEXT
#
# kms_client = boto3.client("kms", region_name=KMS_REGION)
# decrypt_res = kms_client.decrypt(CiphertextBlob=bytes(base64.b64decode(KMS_CIPHERTEXT)))
# return json.loads(decrypt_res["Plaintext"].decode("utf-8"))
"""
Sample KMS encryption:
--------------------
import boto3
import json
import base64
kms_client = boto3.client("kms", region_name=KMS_REGION)
account_id = "YOUR ACCOUNT ID HERE"
key_id = "YOUR KEY ID HERE"
kms_arn = "arn:aws:kms:{region}:{account_id}:key/{key_id}".format(region=KMS_REGION, account_id=account_id, key_id=key_id)
secrets_to_encrypt = {
"SLACK": "SLACK TOKEN HERE",
"GITHUB": "GITHUB TOKEN HERE",
"TRAVIS_PRO_USER": "GitHub ID of GitHub account with access to Travis Pro",
"TRAVIS_PRO_ID": "The ID of the Travis user. Use the Travis API to get this (for Pro)",
"TRAVIS_PRO_TOKEN": "Use the Travis API to get the Travis token (for the Travis Pro account)",
"TRAVIS_PUBLIC_USER": "GitHub ID of GitHub account with access to Travis Public",
"TRAVIS_PUBLIC_ID": "The ID of the Travis user. Use the Travis API to get this (for Public)",
"TRAVIS_PUBLIC_TOKEN": Use the Travis API to get the Travis token (for the Travis Public account)",
"DUO_YOUR_DOMAIN": "your-domain-here.com,xxxxxxxx.duosecurity.com,THEDUOIKEY,THEDUOSKEY"
}
encrypt_res = kms_client.encrypt(KeyId=kms_arn, Plaintext=bytes(json.dumps(secrets_to_encrypt, indent=4), "utf-8"))
# Your results are:
print("The encrypted PTXT in B64:")
print(base64.b64encode(encrypt_res["CiphertextBlob"]).decode("utf-8"))
"""