npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

aws-secret-storage

v1.1.0

Published

[![Checkout Finland Oy](https://extranet.checkout.fi/static/img/checkout-logo.png)](http://www.checkout.fi/)

Downloads

3,136

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

minttuminttu

Keywords

Readme

Checkout Finland Oy

aws-secret-storage

Store secrets in an encrypted file in your repo.

The secret file is encrypted with aes-256-gcm with the encryption key from AWS KMS

secret.*.unencrypted.json files should never be committed.

cli

aws-secret-storage provides cli helpers for creating and managing secrets files.

All commands interact with KMS, so appropriate credentials to AWS is required. An easy way to do this is to provide the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment parameters for a user that has access to the kms:Decrypt and kms:GenerateDataKey actions.

aws-secret-storage-init SECRET_NAME --key CMK_ID [--region AWS_REGION]

Creates new encrypted and unencrypted files for secrets storage.

secret.SECRET_NAME.unencrypted.json contains the unencrypted data as implied in its name.

  • SECRET_NAME is used to form the file name for the secret
  • --key must be an unique identifier for the customer master key. For example:
    • Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
    • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
    • Alias: alias/test-alias
  • --region must be provided if the environment variable AWS_DEFAULT_REGION isn't used. Valid values

aws-secret-storage-encrypt SECRET_NAME

Encrypts the secret.SECRET_NAME.unencrypted.json and saves the result as secret.SECRET_NAME.json. The unencrypted file is removed.

Every encryption operation fetches a new data encryption key from KMS.

aws-secret-storage-decrypt SECRET_NAME

Decrypts the secret.SECRET_NAME.json and saves the unencrypted data to secret.SECRET_NAME.unencrypted.json

api

aws-secret-storage provides an api for loading secrets.

aws-sdk should be configured with proper credentials before calling aws-secret-storages apis. (Or rely on aws-sdks automatic credentials from env)

class AutoSecretFileStorage

For loading secret.*.json or secret.*.unencrypted.json files. Prefers the encrypted files, but doesn't break in development environments without encrypted secrets.

constructor(secretName: string, basePath?: string)

  • secretName is the name of the secret created with the cli. For example staging
  • basePath points to the folder where the secrets are stored. If not specified the current working directory will be used.

getData(): Promise<UnencryptedSecret>

The promise is resolved with an object that looks like

{
    keyId: "somekey",
    region: "someregion",
    data: {
        "favColor": "red"
    }
}

Only the data key in the object is probably of interest. Throws an error if there isn't an encrypted or unencrypted secrets file with the secretName name.

Usage example

secret.my-project.json

Created with aws-secret-storage-encrypt my-project. Should be in current working directory.

index.js

import {AutoSecretFileStorage} from "aws-secret-storage";

const secretStorage = new AutoSecretFileStorage("my-project");
secretStorage.getData()
    .then((data) => {
        console.log("My favourite color is " + data["data"]["favColor"]);
    }, (err) => {
        console.error(err);
    });

node index.js

My favourite color is red

Integration tests

Running yarn integration-test with the following env variables

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_DEFAULT_REGION
  • AWS_CMK_ID

should test the cli commands.

Note that these must be valid for the integration tests to work.