Stealth is a go interface to write/read from secret stores.

The current storage implementation uses AWS System Manger Parameter Store. Previously, it used our fork of unicreds, which is a go port of credstash, which uses AWS DynamoDB and KMS.

Stealth can be run standalone for certain administrative tasks. First you'll need to compile the binary:

    make build

To find all secrets that have the same value as an existing secret (for instance, to revoke a leaked secret):

    ./stealth dupes --environment [production OR development] --service [service-name] --key [key name]

You can replace all these values using this command:

    ./stealth dupes --environment [production OR development] --service [service-name] --key [key name] --update-with [value to replace with]

To delete a secret:

    ./stealth delete --environment [production OR development] --service [service-name] --key [key name]

To write a secret:

    ./stealth write --environment [production OR development] -- service [service-name] --key [key name] --value [key value]

To identify discrepancies in secret values across 4 U.S. regions of AWS.

    ./stealth health --environment=ENVIRONMENT --service=SERVICE

To run tests, use:

    make test

This creates, updates, and reads secrets from the ci-test environment secret store, using the AWS credentials in your local environment.

If you are using Terraform, you can use the module tf-credstash to set up the necessary DynamoDB and KMS key for stealth. For example, to create a dev backend, you can use this terraform code:

provider "aws" {}

module "stealth-dev" {
  source = "github.com/dfuentes/tf-credstash"
  key_alias = "alias/stealth-key-dev"
  table_name = "stealth-dev"
}

Apache 2.0

Stealth is co-owned by #eng-infra and #eng-security. For more info, see http://go/stealth