Skip to content

haven-secrets/haven-cli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
bin
bin
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package.json
package.json
 
 

Repository files navigation

LS-BrandDev-Haven_logo-full-on_light

shields.io npm version badge shields.io npm license badge shields.io github closed pull requests badge shields.io custom website link badge

Haven is an open-source, centralized secrets manager. It protects your application secrets through a combination of encryption, access control, and injection-at-runtime. It’s easy to set up, and offers an intuitive GUI to set fine-grained access controls and to view logs. Haven allows small teams to securely manage all of their projects’ secrets---and to do so with a minimum of hassle so that they can get back to developing their applications without sacrificing security.

This package allows you to use a CLI to interact with your Haven instance. If you would prefer a GUI, use the Haven UI package instead. Both of these use the Haven package under the hood to interact with the AWS architecture that makes up Haven.

Usage as Admin

To use, you must first have an AWS account set up, your default credentials setup in ~/.aws/credentials and your region setup in ~/.aws/config.

Example ~/.aws/credentials:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Example ~/.aws/config:

[default]
region=us-west-2
output=json

After that, simply:

  1. Install the npm package globally (sudo npm -g install haven-secrets-cli)
  2. Run haven setup ${region} specifying what supported region you want your Haven instance to be setup.
  3. After setup, run any of the commands mentioned in the next section.
  4. To create a new user, run haven addUser ${userName} passing in the user's name. This will
  5. To teardown, simply run haven teardown.

Usage as Developer

you don't need an AWS account setup since all users of a Haven instance use the account used during the setup by Admin

  1. Install the npm package globally (sudo npm -g install haven-secrets-cli)
  2. Place the havenAccountInfo.json file into a ~/.haven directory.
  3. Run haven userSetup within an hour after the Admin created your acccount.

Commands

Command Description
haven setup

This command creates a new Haven instance within the given region. When haven new is executed, Haven provisions the AWS resources it needs to run.

haven teardown

Executing this command will teardown the Haven instance:

  • All DynamoDb tables with their corresponding encrypted secrets.
  • Schedule master key deletion
  • Delete all users and logs.
haven createProject

This command will prompt you to name your project and will create three[Dev, Prod, Stg] corresponding dynamoDB tables to store your encrypted secrets.

haven deleteProject

Executing this command will prompt you to select the project you want deleted. This will then delete the three dynamoDB tables and their corresponding secrets.

haven addUser

Executing this command will prompt you to select a user name and generate the havenAccountInfo.json file that you will give to the new user. They will have to run haven userSetup on their computer with that file within an hour, otherwise the credentials will be invalidated and you will have to run haven addUser again.

haven userSetup

This is the command a new user will run after placing their havenAccountInfo.json file into their ~/.haven directory. If this command is run within an hour of credential creation, their temporary credentials will be replaced with their permanent credentials. This will grant them access to the projects/environments the Admin has granted them permission to.

haven putSecret

Executing this command will prompt for project name, environment, secret name and secret value. If the user has sufficient permissions and the project exists, Haven will put the encrypted secret value alongside the secret value into the corresponding dynamoDB table. If there is already a secret with the same name, a new version of the secret is instead placed into the table.

haven getSecret

Executing this command will prompt for project name, environment, and secret name. If the secret exists and the user has sufficient permission, the secret and its decrypted value will be returned.

haven getAllSecrets

Executing this command will prompt for project name and environment. If the user has sufficient permission, the latest version of all the secrets for that project and environment combination will be returned.

haven addUserToGroups

Executing this command will prompt for a user and the projects/environments you want them to have access to with either read or read-write permissions.

haven listGroupsForUser

Executing this command will prompt for a user and return all groups they belong to. A group represents an environment, project, and access permission combination.

haven getAllHavenUsers

Executing this command will return all Haven users for a Haven instance.

haven revokeUser

Executing this command will prompt for a user and revoke them from all projects/environments they have access to. Furthermore, it will flag all secrets they had access to so they can be updated.

haven revokeUserFromGroups

Executing this command will prompt for a user and what groups to revoke them from. The user will be removed from those groups and it will flag all secrets they had access to so those secrets can be updated.

haven run

This command is used to inject secrets into an application. The arguments expected are projectName,environment, and whatever start command you would normally use in your npm start script.

For example, assuming your start script in your project's package.json was "npx nodemon todos.js" and you had put the corresponding secrets into a Haven project named todos under the environemnt prod, the new run command would be: "haven run todos prod npx nodemon todos.js".

When this command runs, it will retrieve all the secrets for the environment and project combination, spawn your application as a child process and inject them into the child process's environment. If your application logs any of the secrets to stdErr or stdOut, Haven will redact them and then pass them along on stdErr or stdOut accordingly.

haven fetchLogs

Executing this command will return all the logs for the Haven instance. These logs contain information on who created and accessed which secret at which time. These are logged regardless of whether the attempt was successful or not.

haven help

Display help information about Haven commands.

Dependencies

  • Node.js 12.x or greater
  • npm packages (installed during npm install):
    • commander
    • haven-secrets-core
    • prompts

About

Command line interface for Haven

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages