Name	Name	Last commit message	Last commit date
Latest commit History 210 Commits
.github/workflows	.github/workflows
src	src
tests	tests
.envrc	.envrc
.gitignore	.gitignore
CHANGELOG.md	CHANGELOG.md
Cargo.lock	Cargo.lock
Cargo.toml	Cargo.toml
DEVELOPMENT.md	DEVELOPMENT.md
README.md	README.md
Xargo.toml	Xargo.toml
rust-toolchain.toml	rust-toolchain.toml
shell.nix	shell.nix
size.md	size.md

Rucredstash

Table of Contents

Rucredstash
Introduction
Usage
Installation
Infrastructure Setup
Usage Examples
- Different way of passing AWS Credentials
- Other usage examples
  - Put secret value
  - Get secret value
  - Get all secret values
  - List credentials with other metadata
  - Get all keys
  - Delete a specific key
  - Put a bunch of secrets (putall subcommand)

Introduction

Rucredstash is a Rust port of CredStash

It uses a combination of AWS Key Management Service (KMS) and DynamoDB to store secrets. This is needed when you want to store and retrieve your credentials (like database password, API Keys etc) securely. A more detailed tutorial is here.

This package offers the interface via both CLI and an library way of accessing it. The CLI is meant as a drop in replacement of the original credstash program and therefore it tries to have the exact interface as the original program.

Usage

rucredstash 0.8.0 Sibi Prabakaran A credential/secret storage system USAGE: rucredstash [OPTIONS] [SUBCOMMAND] FLAGS: -h, --help Prints help information -V, --version Prints version information OPTIONS: -a, --arn AWS IAM ARN for AssumeRole -m, --mfa_serial Optional MFA hardware device serial number or virtual device ARN -p, --profile Boto config profile to use when connecting to AWS -r, --region the AWS region in which to operate. If a region is not specified, credstash will use the value of the AWS_DEFAULT_REGION env variable, or if that is not set, the value in `~/.aws/config`. As a last resort, it will use us-east-1 -t, --table DynamoDB table to use for credential storage. If not specified, credstash will use the value of the CREDSTASH_DEFAULT_TABLE env variable, or if that is not set, the value `credential-store` will be used SUBCOMMANDS: delete Delete a credential from the store get Get a credential from the store getall Get all credentials from the store help Prints this message or the help of the given subcommand(s) keys List all keys in the store list List credentials and their versions put Put a credential into the store putall Put credentials from json or file into the store setup setup the credential storeInstallation See Github releases: https://github.com/psibi/rucredstash/releases Executables are available for all the three major platforms: Linux, Windows and MacOS. Infrastructure Setup For rucredstash to work, you need to setup the following AWS infrastrucutre: Create Customer manged keys (CMK) key Services => KMS => Create Key => Input "credstash" for Key Alias Create DynamoDB table rucredstash setup Usage Examples Different way of passing AWS Credentials The most simple case is to export the proper environment variable and use it: $ export AWS_ACCESS_KEY_ID=xxxx $ export AWS_SECRET_ACCESS_KEY=xxxx $ rucredstash list hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment Note that rucredstash by default uses DefaultCredentialsProvider, so your credentials will be based on that. But it even allows other complex usage scenarios: $ export AWS_ACCESS_KEY_ID=xxxx $ export AWS_SECRET_ACCESS_KEY=xxxx $ rucredstash --arn arn:aws:iam::786946123934:role/admin --mfa_serial arn:aws:iam::786946123934:mfa/sibi --region us-west-2 list Enter MFA Code: xxxxx hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment Note that the MFA functionality isn't present in the original credstash program (the Python program). You can also use programs like aws-env and use this tool. Example: $ aws-env rucredstash list hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment Other usage examples Put secret value $ rucredstash put hello world hello has been stored You can also use the encryption context associated with the credential: $ rucredstash put nasdaq nifty500 market=world nasdaq has been stored Or even multiple encryption contexts: $ rucredstash put vanguard vanguardsecret market=world indexfunds=us vanguard has been stored Get secret value $ rucredstash get hello1 world1 Now let's also try to retrieve using the encryption context: $ rucredstash get nasdaq market=world nifty500 And using multiple encryption context: $ rucredstash get vanguard market=world indexfunds=us vanguardsecret Get all secret values $ rucredstash getall { "hellehllobyegood": "dam", "hello": "world", "hello1": "world1" } You can get that in other formats too: $ rucredstash getall --format yaml hello: world hellehllobyegood: dam hello1: world1 List credentials with other metadata $ rucredstash list hello -- version 0000000000000000001 --comment hellehllobyegood -- version 0000000000000000001 --comment hello1 -- version 0000000000000000001 --comment Get all keys $ rucredstash keys hello hellehllobyegood hello1 Delete a specific key $ rucredstash delete hello Deleting hello --version 0000000000000000001 Put a bunch of secrets (putall subcommand) You can pass the input from a file using the special symbol @ to indicate that the data is fed from the file: $ bat secrets.json -------+---------------------------------------- | File: secrets.json -------+---------------------------------------- 1 | { 2 | "hello": "world", 3 | "hi": "bye" 4 | } -------+---------------------------------------- $ rucredstash putall @secrets.json hello has been stored hi has been stored You can also pass the data via stdin using the special operator -: $ rucredstash putall - { "hello": "world" } hello has been stored Note that the passed data should be in json format. You press the Enter key to indicate that you have finished passing the data. Also, you can also pass the data directly to it: $ rucredstash putall '{"hello":"world","hi":"bye"}' hello has been stored hi has been stored About Utility for managing credentials securely in AWS cloud Topics rust aws secret secret-management Resources Readme Uh oh! There was an error while loading. Please reload this page. Activity Stars 19 stars Watchers 1 watching Forks 4 forks Report repository Releases 12 v0.9.2 Latest Jun 15, 2023 + 11 releases Packages 0 Uh oh! There was an error while loading. Please reload this page. Uh oh! There was an error while loading. Please reload this page. Contributors Uh oh! There was an error while loading. Please reload this page. Languages Rust 97.7% Other 2.3% Footer (c) 2026 GitHub, Inc. Footer navigation Terms Privacy Security Status Community Docs Contact You can't perform that action at this time.

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

psibi/rucredstash

Folders and files

Latest commit

History

Repository files navigation

Rucredstash

Introduction

Usage

Installation

Infrastructure Setup

Usage Examples

Different way of passing AWS Credentials

Other usage examples

Put secret value

Get secret value

Get all secret values

List credentials with other metadata

Get all keys

Delete a specific key

Put a bunch of secrets (putall subcommand)

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases 12

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages