Copyright	(c) 2015-2016 Brendan Hay
License	Mozilla Public License, v. 2.0.
Maintainer	Brendan Hay <brendan.g.hay@gmail.com>
Stability	provisional
Portability	non-portable (GHC extensions)
Safe Haskell	None
Language	Haskell2010

Credentials

Contents

Usage
Operations
KMS
DynamoDB
Errors
Types

Description

This module provides a common interface for operating on your shared credentials.

Synopsis

Usage

To use the library, make sure you have met the following prerequisites:

You have a master key in KMS. You can create this under Identity and Access Management > Encryption Keys, in the AWS developer console.
Your AWS access credentials are available where amazonka can find them. This will be automatic if you are running on an EC2 host, otherwise the ~/.aws/credentials file, as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables need to be configured.

Since all of the credentials operations are constrained by a MonadAWS context, running them is identical to that of amazonka, which you will also need to add to your build-depends section of your project's cabal file.

{-# LANGUAGE OverloadedStrings #-}

import Credentials
import Control.Lens
import Data.ByteString (ByteString)
import Network.AWS
import System.IO

example :: IO (ByteString, Revision)
example = do
    -- A new 'Logger' to replace the default noop logger is created,
    -- which will print AWS debug information and errors to stdout.
    lgr <- newLogger Debug stdout

    -- A new amazonka 'Env' is created, which auto-discovers the
    -- underlying host credentials.
    env <- newEnv Frankfurt Discover

    let table = "dynamo-table-name"
        key   = "kms-key-alias"
        name  = "credential-name"

    -- We now run the 'AWS' computation with the overriden logger,
    -- performing the sequence of credentials operations.
    runResourceT . runAWS (env & envLogger .~ lgr) $ do
        -- Firstly, we create the DynamoDB table.
        -- This is an idempotent operation but since it makes remote API calls,
        -- it's recommended you only run this once via the CLI.
        Credentials.setup table

        -- Then we insert a credential\'s value, for a given name.
        -- Encryption is handled transparently and the resulting revision
        -- is returned.
        _ <- Credentials.insert key mempty name "a-super-secret-value" table

        -- Selecting the credential by name, and specifying 'Nothing' for the
        -- revision results in the latest credential revision being returned.
        Credentials.select mempty name Nothing table

Operations

insert Source #

Arguments

:: (MonadMask m, MonadAWS m, Typeable m)
=> KeyId	The KMS master key ARN or alias.
-> Context	The KMS encryption context.
-> Name	The credential name.
-> ByteString	The unencrypted plaintext.
-> DynamoTable	The DynamoDB table.
-> m Revision

Encrypt and insert a new credential revision with the specified name.

The newly inserted revision is returned.

select Source #

Arguments

:: MonadAWS m
=> Context	The KMS encryption context that was used during insertion.
-> Name	The credential name.
-> Maybe Revision	A revision. If `Nothing`, the latest will be selected.
-> DynamoTable	The DynamoDB table.
-> m (ByteString, Revision)

Select an existing credential, optionally specifying the revision.

The decrypted plaintext and selected revision are returned.

delete Source #

Arguments

:: MonadAWS m
=> Name	The credential name.
-> Revision	The revision to delete.
-> DynamoTable	The DynamoDB table.
-> m ()

Delete the specific credential revision.

truncate Source #

Arguments

:: MonadAWS m
=> Name	The credential name.
-> DynamoTable	The DynamoDB table.
-> m ()

Truncate all of a credential's revisions, so that only the latest revision remains.

revisions Source #

Arguments

:: MonadAWS m
=> DynamoTable	The DynamoDB table.
-> Source m (Name, NonEmpty Revision)

Scan the entire credential database, grouping pages of results into unique credential names and their corresponding revisions.

setup Source #

Arguments

:: MonadAWS m
=> DynamoTable	The DynamoDB table.
-> m Setup

Create the credentials database table.

The returned idempotency flag can be used to notify configuration management tools such as ansible whether about system state.

teardown :: MonadAWS m => DynamoTable -> m () Source #

Delete the credentials database table and all data.

Note: Unless you have DynamoDB backups running, this is a completely irrevocable action.

KMS

newtype KeyId Source #

The KMS master key identifier.

Constructors

KeyId Text

Instances

Eq KeyId Source #
Methods (==) :: KeyId -> KeyId -> Bool # (/=) :: KeyId -> KeyId -> Bool #
Ord KeyId Source #
Methods compare :: KeyId -> KeyId -> Ordering # (<) :: KeyId -> KeyId -> Bool # (<=) :: KeyId -> KeyId -> Bool # (>) :: KeyId -> KeyId -> Bool # (>=) :: KeyId -> KeyId -> Bool # max :: KeyId -> KeyId -> KeyId # min :: KeyId -> KeyId -> KeyId #
Show KeyId Source #
Methods showsPrec :: Int -> KeyId -> ShowS # show :: KeyId -> String # showList :: [KeyId] -> ShowS #
ToText KeyId Source #
Methods toText :: KeyId -> Text #
FromText KeyId Source #
Methods parser :: Parser KeyId #
ToByteString KeyId Source #
Methods toBS :: KeyId -> ByteString #
ToLog KeyId Source #
Methods build :: KeyId -> Builder #

defaultKeyId :: KeyId Source #

The default KMS master key alias.

Value: alias/credentials

DynamoDB

newtype DynamoTable Source #

A DynamoDB table reference.

Constructors

DynamoTable
Fields tableName :: Text

Instances

Eq DynamoTable Source #
Methods (==) :: DynamoTable -> DynamoTable -> Bool # (/=) :: DynamoTable -> DynamoTable -> Bool #
Ord DynamoTable Source #
Methods compare :: DynamoTable -> DynamoTable -> Ordering # (<) :: DynamoTable -> DynamoTable -> Bool # (<=) :: DynamoTable -> DynamoTable -> Bool # (>) :: DynamoTable -> DynamoTable -> Bool # (>=) :: DynamoTable -> DynamoTable -> Bool # max :: DynamoTable -> DynamoTable -> DynamoTable # min :: DynamoTable -> DynamoTable -> DynamoTable #
Show DynamoTable Source #
Methods showsPrec :: Int -> DynamoTable -> ShowS # show :: DynamoTable -> String # showList :: [DynamoTable] -> ShowS #
ToText DynamoTable Source #
Methods toText :: DynamoTable -> Text #
FromText DynamoTable Source #
Methods parser :: Parser DynamoTable #
ToByteString DynamoTable Source #
Methods toBS :: DynamoTable -> ByteString #
ToLog DynamoTable Source #
Methods build :: DynamoTable -> Builder #

defaultTable :: DynamoTable Source #

The default DynamoDB table used to store credentials.

Value: credentials

Errors

data CredentialError Source #

Constructors

MasterKeyMissing KeyId (Maybe Text)	The specified master key id doesn't exist.
IntegrityFailure Name ByteString ByteString	The computed HMAC doesn't matched the stored HMAC.
EncryptFailure Context Name Text	Failure occured during local encryption.
DecryptFailure Context Name Text	Failure occured during local decryption.
StorageMissing Text	Storage doesn't exist, or has gone on holiday.
StorageFailure Text	Some storage pre-condition wasn't met. For example: DynamoDB column size exceeded.
FieldMissing Text [Text]	Missing field from the storage engine.
FieldInvalid Text String	Unable to parse field from the storage engine.
SecretMissing Name (Maybe Revision) Text	Secret with the specified name cannot found.
OptimisticLockFailure Name Revision Text	Attempting to insert a revision that already exists.

Instances

Eq CredentialError Source #
Methods (==) :: CredentialError -> CredentialError -> Bool # (/=) :: CredentialError -> CredentialError -> Bool #
Show CredentialError Source #
Methods showsPrec :: Int -> CredentialError -> ShowS # show :: CredentialError -> String # showList :: [CredentialError] -> ShowS #
Exception CredentialError Source #
Methods toException :: CredentialError -> SomeException # fromException :: SomeException -> Maybe CredentialError # displayException :: CredentialError -> String #
AsCredentialError CredentialError Source #
Methods _CredentialError :: Prism' CredentialError CredentialError Source # _MasterKeyMissing :: Prism' CredentialError (KeyId, Maybe Text) Source # _IntegrityFailure :: Prism' CredentialError (Name, ByteString, ByteString) Source # _EncryptFailure :: Prism' CredentialError (Context, Name, Text) Source # _DecryptFailure :: Prism' CredentialError (Context, Name, Text) Source # _StorageMissing :: Prism' CredentialError Text Source # _StorageFailure :: Prism' CredentialError Text Source # _FieldMissing :: Prism' CredentialError (Text, [Text]) Source # _FieldInvalid :: Prism' CredentialError (Text, String) Source # _SecretMissing :: Prism' CredentialError (Name, Maybe Revision, Text) Source # _OptimisticLockFailure :: Prism' CredentialError (Name, Revision, Text) Source #

class AsCredentialError a where Source #

Methods

_CredentialError :: Prism' a CredentialError Source #

_MasterKeyMissing :: Prism' a (KeyId, Maybe Text) Source #

_IntegrityFailure :: Prism' a (Name, ByteString, ByteString) Source #

_EncryptFailure :: Prism' a (Context, Name, Text) Source #

_DecryptFailure :: Prism' a (Context, Name, Text) Source #

_StorageMissing :: Prism' a Text Source #

_StorageFailure :: Prism' a Text Source #

_FieldMissing :: Prism' a (Text, [Text]) Source #

_FieldInvalid :: Prism' a (Text, String) Source #

_SecretMissing :: Prism' a (Name, Maybe Revision, Text) Source #

_OptimisticLockFailure :: Prism' a (Name, Revision, Text) Source #

Instances

AsCredentialError SomeException Source #
Methods _CredentialError :: Prism' SomeException CredentialError Source # _MasterKeyMissing :: Prism' SomeException (KeyId, Maybe Text) Source # _IntegrityFailure :: Prism' SomeException (Name, ByteString, ByteString) Source # _EncryptFailure :: Prism' SomeException (Context, Name, Text) Source # _DecryptFailure :: Prism' SomeException (Context, Name, Text) Source # _StorageMissing :: Prism' SomeException Text Source # _StorageFailure :: Prism' SomeException Text Source # _FieldMissing :: Prism' SomeException (Text, [Text]) Source # _FieldInvalid :: Prism' SomeException (Text, String) Source # _SecretMissing :: Prism' SomeException (Name, Maybe Revision, Text) Source # _OptimisticLockFailure :: Prism' SomeException (Name, Revision, Text) Source #
AsCredentialError CredentialError Source #
Methods _CredentialError :: Prism' CredentialError CredentialError Source # _MasterKeyMissing :: Prism' CredentialError (KeyId, Maybe Text) Source # _IntegrityFailure :: Prism' CredentialError (Name, ByteString, ByteString) Source # _EncryptFailure :: Prism' CredentialError (Context, Name, Text) Source # _DecryptFailure :: Prism' CredentialError (Context, Name, Text) Source # _StorageMissing :: Prism' CredentialError Text Source # _StorageFailure :: Prism' CredentialError Text Source # _FieldMissing :: Prism' CredentialError (Text, [Text]) Source # _FieldInvalid :: Prism' CredentialError (Text, String) Source # _SecretMissing :: Prism' CredentialError (Name, Maybe Revision, Text) Source # _OptimisticLockFailure :: Prism' CredentialError (Name, Revision, Text) Source #

Types

newtype Name Source #

A shared/readable name for a secret.

Constructors

Name Text

Instances

Eq Name Source #
Methods (==) :: Name -> Name -> Bool # (/=) :: Name -> Name -> Bool #
Ord Name Source #
Methods compare :: Name -> Name -> Ordering # (<) :: Name -> Name -> Bool # (<=) :: Name -> Name -> Bool # (>) :: Name -> Name -> Bool # (>=) :: Name -> Name -> Bool # max :: Name -> Name -> Name # min :: Name -> Name -> Name #
Show Name Source #
Methods showsPrec :: Int -> Name -> ShowS # show :: Name -> String # showList :: [Name] -> ShowS #
ToText Name Source #
Methods toText :: Name -> Text #
FromText Name Source #
Methods parser :: Parser Name #
ToByteString Name Source #
Methods toBS :: Name -> ByteString #
ToLog Name Source #
Methods build :: Name -> Builder #
Attribute Name Source #
Methods toAttr :: Name -> AttributeValue Source # parseAttr :: AttributeValue -> Maybe Name Source #
Item Name Source #
Methods toItem :: Name -> HashMap Text AttributeValue Source # parseItem :: HashMap Text AttributeValue -> Either CredentialError Name Source #

newtype Revision Source #

An opaque, non-monotonic revision number.

Constructors

Revision ByteString

Instances

Eq Revision Source #
Methods (==) :: Revision -> Revision -> Bool # (/=) :: Revision -> Revision -> Bool #
Ord Revision Source #
Methods compare :: Revision -> Revision -> Ordering # (<) :: Revision -> Revision -> Bool # (<=) :: Revision -> Revision -> Bool # (>) :: Revision -> Revision -> Bool # (>=) :: Revision -> Revision -> Bool # max :: Revision -> Revision -> Revision # min :: Revision -> Revision -> Revision #
Show Revision Source #
Methods showsPrec :: Int -> Revision -> ShowS # show :: Revision -> String # showList :: [Revision] -> ShowS #
ToText Revision Source #
Methods toText :: Revision -> Text #
FromText Revision Source #
Methods parser :: Parser Revision #
ToByteString Revision Source #
Methods toBS :: Revision -> ByteString #
ToLog Revision Source #
Methods build :: Revision -> Builder #
Attribute Revision Source #
Methods toAttr :: Revision -> AttributeValue Source # parseAttr :: AttributeValue -> Maybe Revision Source #
Item Revision Source #
Methods toItem :: Revision -> HashMap Text AttributeValue Source # parseItem :: HashMap Text AttributeValue -> Either CredentialError Revision Source #

newtype Context Source #

A KMS encryption context.

See: KMS Encryption Context documentation for more information.

Constructors

Context
Fields fromContext :: HashMap Text Text

Instances

Eq Context Source #
Methods (==) :: Context -> Context -> Bool # (/=) :: Context -> Context -> Bool #
Show Context Source #
Methods showsPrec :: Int -> Context -> ShowS # show :: Context -> String # showList :: [Context] -> ShowS #
Monoid Context Source #
Methods mempty :: Context # mappend :: Context -> Context -> Context # mconcat :: [Context] -> Context #

data Setup Source #

Denotes idempotency of an action. That is, whether an action resulted in any setup being performed.

Constructors

Created
Exists

Instances

Eq Setup Source #
Methods (==) :: Setup -> Setup -> Bool # (/=) :: Setup -> Setup -> Bool #
Show Setup Source #
Methods showsPrec :: Int -> Setup -> ShowS # show :: Setup -> String # showList :: [Setup] -> ShowS #
ToText Setup Source #
Methods toText :: Setup -> Text #
ToLog Setup Source #
Methods build :: Setup -> Builder #