@lockzero/aws-sync

v1.0.0

Published

11 days ago

Bidirectional sync between LockZero and AWS Secrets Manager / SSM Parameter Store

0High
0Medium
0Low

lockzero_security

lockzero aws secrets-manager ssm secrets sync

@lockzero/aws-sync

Bidirectional sync between LockZero and AWS Secrets Manager / SSM Parameter Store.

Installation

npm install -g @lockzero/aws-sync
# or as a dev dependency
npm install --save-dev @lockzero/aws-sync

Authentication

| Credential | How to provide | |---|---| | LockZero API key | --lz-key <key> or LOCKZERO_API_KEY env var | | AWS credentials | Standard AWS SDK chain: env vars, ~/.aws/credentials, OIDC, instance profile |

Commands

`push` — LockZero → AWS

# Push the "openai" namespace to SSM Parameter Store
lockzero-aws push --namespace openai --backend ssm --prefix /lockzero/

# Push to Secrets Manager instead
lockzero-aws push --namespace openai --backend secretsmanager --prefix /lockzero/

# Preview without writing
lockzero-aws push --namespace openai --backend ssm --prefix /lockzero/ --dry-run

SSM parameters are created as SecureString at path <prefix><namespace>/<fieldKey>.
Secrets Manager stores all fields as a JSON blob in one secret named <prefix><namespace>.

`pull` — AWS → LockZero

# Pull SSM parameters back into LockZero
lockzero-aws pull --namespace openai --backend ssm --prefix /lockzero/

# Preview without writing
lockzero-aws pull --namespace openai --backend ssm --prefix /lockzero/ --dry-run

`diff` — show what would change

# Show what a push would do
lockzero-aws diff --namespace openai --backend ssm --prefix /lockzero/ --direction push

# Show what a pull would do
lockzero-aws diff --namespace openai --backend ssm --prefix /lockzero/ --direction pull

Output is color-coded: green + = add, yellow ~ = update, red - = orphan, gray = = unchanged.

GitHub Actions

See src/examples/sync-workflow.yml for a complete CI workflow using OIDC (no static AWS keys needed).

Options

| Flag | Default | Description | |---|---|---| | --namespace | required | LockZero namespace (e.g. openai, stripe) | | --backend | ssm | ssm or secretsmanager | | --prefix | /lockzero/ | Path prefix for AWS parameters/secrets | | --lz-key | env | LockZero API key | | --lz-base-url | https://api.lockzero.io | LockZero base URL | | --region | env | AWS region | | --dry-run | false | Preview changes without writing |

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme

@lockzero/aws-sync

Installation

Authentication

Commands

push — LockZero → AWS

pull — AWS → LockZero

diff — show what would change

GitHub Actions

Options

`push` — LockZero → AWS

`pull` — AWS → LockZero

`diff` — show what would change