kms_ops.sh

1. #!/bin/bash
2. # `./kms_ops.sh encode` for encoding secrets for storage in SSM/Secrets Manager. You need to specify the key
3. # `./kms_ops.sh decode` for decoding stored and encrypted secrets. You don't need to specify the key
4. # Feel free to flesh this out as you please.
5. op=$1
6. secret=$2
7. kmskey=$3
8.  
9. enc(){
10.   local key=$kmskey
11.   aws kms encrypt \
12.     --key-id $key \
13.     --plaintext $secret \
14.     --query CiphertextBlob \
15.     --output text;
16. }
17.  
18. dec(){
19.   aws kms decrypt \
20.     --ciphertext-blob \
21.     fileb://<(echo $secret | base64 -d) \
22.     --output text \
23.     --query Plaintext | base64 -d | xargs;
24. }
25.  
26. usage() {
27.    echo
28.    echo "aws kms encrypt/decrypt wrapper to quicken things up."
29.    echo
30.    echo "Usage: $0 encode|decode secret [key]"
31.    echo "Requires aws cli access"
32.    echo "Examples:"
33.    echo "    $(basename $0) encode <plaintext secret> key"
34.    echo "      Encodes a secret into a Cipher storable as a secret"
35.    echo "    $(basename $0) decode <ciphertext blob>"
36.    echo "      Pretty obvious, huh?"
37.    echo
38. }
39.  
40.  
41. case $op in
42.   "encode")
43.     enc
44.     ;;
45.   "decode")
46.     dec
47.     ;;
48.   *)
49.     usage
50.     ;;
51. esac