Haven is an open-source, centralized secrets manager. It protects your application secrets through a combination of encryption, access control, and injection-at-runtime. It’s easy to set up, and offers an intuitive GUI to set fine-grained access controls and to view logs. Haven allows small teams to securely manage all of their projects’ secrets---and to do so with a minimum of hassle so that they can get back to developing their applications without sacrificing security.
This package allows you to use a CLI to interact with your Haven instance. If you would prefer a GUI, use the Haven UI package instead. Both of these use the Haven package under the hood to interact with the AWS architecture that makes up Haven.
Usage as Admin
To use, you must first have an AWS account set up, your default credentials setup in ~/.aws/credentials and your region setup in ~/.aws/config.
Example ~/.aws/credentials:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Example ~/.aws/config:
[default]
region=us-west-2
output=json
After that, simply:
- Install the npm package globally (
sudo npm -g install haven-secrets-cli) - Run
haven setup ${region}specifying what supported region you want your Haven instance to be setup. - After setup, run any of the commands mentioned in the next section.
- To create a new user, run
haven addUser ${userName}passing in the user's name. This will - To teardown, simply run
haven teardown.
Usage as Developer
you don't need an AWS account setup since all users of a Haven instance use the account used during the setup by Admin
- Install the npm package globally (
sudo npm -g install haven-secrets-cli) - Place the
havenAccountInfo.jsonfile into a~/.havendirectory. - Run
haven userSetupwithin an hour after the Admin created your acccount.
Commands
| Command | Description |
|---|---|
haven setup
|
This command creates a new Haven instance within the given region. When |
haven teardown
|
Executing this command will teardown the Haven instance:
|
haven createProject
|
This command will prompt you to name your project and will create three[Dev, Prod, Stg] corresponding dynamoDB tables to store your encrypted secrets. |
haven deleteProject
|
Executing this command will prompt you to select the project you want deleted. This will then delete the three dynamoDB tables and their corresponding secrets. |
haven addUser
|
Executing this command will prompt you to select a user name and generate the |
haven userSetup
|
This is the command a new user will run after placing their |
haven putSecret
|
Executing this command will prompt for project name, environment, secret name and secret value. If the user has sufficient permissions and the project exists, Haven will put the encrypted secret value alongside the secret value into the corresponding dynamoDB table. If there is already a secret with the same name, a new version of the secret is instead placed into the table. |
haven getSecret
|
Executing this command will prompt for project name, environment, and secret name. If the secret exists and the user has sufficient permission, the secret and its decrypted value will be returned. |
haven getAllSecrets
|
Executing this command will prompt for project name and environment. If the user has sufficient permission, the latest version of all the secrets for that project and environment combination will be returned. |
haven addUserToGroups
|
Executing this command will prompt for a user and the projects/environments you want them to have access to with either read or read-write permissions. |
haven listGroupsForUser
|
Executing this command will prompt for a user and return all groups they belong to. A group represents an environment, project, and access permission combination. |
haven getAllHavenUsers
|
Executing this command will return all Haven users for a Haven instance. |
haven revokeUser
|
Executing this command will prompt for a user and revoke them from all projects/environments they have access to. Furthermore, it will flag all secrets they had access to so they can be updated. |
haven revokeUserFromGroups
|
Executing this command will prompt for a user and what groups to revoke them from. The user will be removed from those groups and it will flag all secrets they had access to so those secrets can be updated. |
haven run
|
This command is used to inject secrets into an application. The arguments expected are
For example, assuming your When this command runs, it will retrieve all the secrets for the environment and project combination, spawn your application as a child process and inject them into the child process's environment. If your application logs any of the secrets to stdErr or stdOut, Haven will redact them and then pass them along on stdErr or stdOut accordingly. |
haven fetchLogs
|
Executing this command will return all the logs for the Haven instance. These logs contain information on who created and accessed which secret at which time. These are logged regardless of whether the attempt was successful or not. |
haven help
|
Display help information about Haven commands. |
Dependencies
- Node.js 12.x or greater
- npm packages (installed during
npm install):commanderhaven-secrets-coreprompts