Nutmeg Pumpkin Macchiato


    1.0.1 • Public • Published

    LS-BrandDev-Haven_logo-full-on_light npm version badge npm license badge github closed pull requests badge custom website link badge

    Haven is an open-source, centralized secrets manager. It protects your application secrets through a combination of encryption, access control, and injection-at-runtime. It’s easy to set up, and offers an intuitive GUI to set fine-grained access controls and to view logs. Haven allows small teams to securely manage all of their projects’ secrets---and to do so with a minimum of hassle so that they can get back to developing their applications without sacrificing security.

    This package allows you to use a CLI to interact with your Haven instance. If you would prefer a GUI, use the Haven UI package instead. Both of these use the Haven package under the hood to interact with the AWS architecture that makes up Haven.

    Usage as Admin

    To use, you must first have an AWS account set up, your default credentials setup in ~/.aws/credentials and your region setup in ~/.aws/config.

    Example ~/.aws/credentials:


    Example ~/.aws/config:


    After that, simply:

    1. Install the npm package globally (sudo npm -g install haven-secrets-cli)
    2. Run haven setup ${region} specifying what supported region you want your Haven instance to be setup.
    3. After setup, run any of the commands mentioned in the next section.
    4. To create a new user, run haven addUser ${userName} passing in the user's name. This will
    5. To teardown, simply run haven teardown.

    Usage as Developer

    you don't need an AWS account setup since all users of a Haven instance use the account used during the setup by Admin

    1. Install the npm package globally (sudo npm -g install haven-secrets-cli)
    2. Place the havenAccountInfo.json file into a ~/.haven directory.
    3. Run haven userSetup within an hour after the Admin created your acccount.


    Command Description
    haven setup

    This command creates a new Haven instance within the given region. When haven new is executed, Haven provisions the AWS resources it needs to run.

    haven teardown

    Executing this command will teardown the Haven instance:

    • All DynamoDb tables with their corresponding encrypted secrets.
    • Schedule master key deletion
    • Delete all users and logs.
    haven createProject

    This command will prompt you to name your project and will create three[Dev, Prod, Stg] corresponding dynamoDB tables to store your encrypted secrets.

    haven deleteProject

    Executing this command will prompt you to select the project you want deleted. This will then delete the three dynamoDB tables and their corresponding secrets.

    haven addUser

    Executing this command will prompt you to select a user name and generate the havenAccountInfo.json file that you will give to the new user. They will have to run haven userSetup on their computer with that file within an hour, otherwise the credentials will be invalidated and you will have to run haven addUser again.

    haven userSetup

    This is the command a new user will run after placing their havenAccountInfo.json file into their ~/.haven directory. If this command is run within an hour of credential creation, their temporary credentials will be replaced with their permanent credentials. This will grant them access to the projects/environments the Admin has granted them permission to.

    haven putSecret

    Executing this command will prompt for project name, environment, secret name and secret value. If the user has sufficient permissions and the project exists, Haven will put the encrypted secret value alongside the secret value into the corresponding dynamoDB table. If there is already a secret with the same name, a new version of the secret is instead placed into the table.

    haven getSecret

    Executing this command will prompt for project name, environment, and secret name. If the secret exists and the user has sufficient permission, the secret and its decrypted value will be returned.

    haven getAllSecrets

    Executing this command will prompt for project name and environment. If the user has sufficient permission, the latest version of all the secrets for that project and environment combination will be returned.

    haven addUserToGroups

    Executing this command will prompt for a user and the projects/environments you want them to have access to with either read or read-write permissions.

    haven listGroupsForUser

    Executing this command will prompt for a user and return all groups they belong to. A group represents an environment, project, and access permission combination.

    haven getAllHavenUsers

    Executing this command will return all Haven users for a Haven instance.

    haven revokeUser

    Executing this command will prompt for a user and revoke them from all projects/environments they have access to. Furthermore, it will flag all secrets they had access to so they can be updated.

    haven revokeUserFromGroups

    Executing this command will prompt for a user and what groups to revoke them from. The user will be removed from those groups and it will flag all secrets they had access to so those secrets can be updated.

    haven run

    This command is used to inject secrets into an application. The arguments expected are projectName,environment, and whatever start command you would normally use in your npm start script.

    For example, assuming your start script in your project's package.json was "npx nodemon todos.js" and you had put the corresponding secrets into a Haven project named todos under the environemnt prod, the new run command would be: "haven run todos prod npx nodemon todos.js".

    When this command runs, it will retrieve all the secrets for the environment and project combination, spawn your application as a child process and inject them into the child process's environment. If your application logs any of the secrets to stdErr or stdOut, Haven will redact them and then pass them along on stdErr or stdOut accordingly.

    haven fetchLogs

    Executing this command will return all the logs for the Haven instance. These logs contain information on who created and accessed which secret at which time. These are logged regardless of whether the attempt was successful or not.

    haven help

    Display help information about Haven commands.


    • Node.js 12.x or greater
    • npm packages (installed during npm install):
      • commander
      • haven-secrets-core
      • prompts


    npm i haven-secrets-cli

    DownloadsWeekly Downloads






    Unpacked Size

    27.1 kB

    Total Files


    Last publish


    • danmarino
    • arpodol
    • becco
    • adamisom