Strongbox is a CLI/GUI and SDK to manage, store, and retrieve secrets (access tokens, encryption keys, private certificates, etc). Strongbox is a client-side convenience layer on top of AWS KMS, DynamoDB and IAM. It manages the AWS resources for you and configure them in a secure way.
Strongbox has been used in production since mid-2016 and is now used extensively within Schibsted.
Please head over to the Wiki for more detailed documentation.
Strongbox relies on AWS therefore you need:
- An AWS account
- Setup
~/.aws/credentialseither- Manually, or
- By installing the AWS CLI, and then use the command
aws configure
Strongbox can be installed in several ways
Strongbox supports both using MFA and using a Proxy.
The GUI can be launched via the CLI using:
$ strongbox --region eu-west-1 gui
You can then perform the same steps to create a Secrets Group and a Secret as shown with the CLI below.
Create a Secrets Group (this will allocate the underlying AWS resources)
$ strongbox --region eu-west-1 group create team.project
Create a Secret (will result in a prompt to enter the secret confidentially, it can also be piped in):
$ strongbox --region eu-west-1 secret create --group team.project --name MySecret --value-from-stdin
You can omit --region if you have specified a region in ~/.aws/credentials. If you specify --profile, it will get the region associated with that profile, otherwise it will get the region of the default profile.
Optional: Add a readonly IAM Principal (e.g. the role associated with the Instance Profile of your EC2 instances)
$ strongbox --region eu-west-1 group attach-readonly --group team.project --type role <some-iam-role>
$ strongbox --region eu-west-1 secret get --group team.project --name MySecret
For more examples please see the Wiki.
The following is from the example repo. Add the Gradle dependency (make sure you have added the jcenter repository)
compile 'com.schibsted.security:strongbox-sdk:0.2.4'
Then retrieve the Secret using
SimpleSecretsGroup secretsGroup = new DefaultSimpleSecretsGroup(new SecretsGroupIdentifier(Region.EU_WEST_1, "team.project"));
Optional<String> secret = secretsGroup.getStringSecret("MySecret");
Please see the example repo.
See spring-boot-starter/README
Strongbox is in active development, and will soon allow external contributions.
Copyright (c) 2016 Schibsted Products & Technology AS
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.