Merge pull request #128 from mhahn/file-prefix-kms

Support storing the kms encrypted value in a file
cloudtools · Jan 7, 2016 · 0bd4183 · 0bd4183
2 parents 9ecdf44 + 066d028
commit 0bd4183
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 1 deletion.
diff --git a/README.rst b/README.rst
@@ -147,6 +147,14 @@ encrypt the value using ``kms``. For example::
 This requires that the person using stacker has access to the master key used
 to encrypt the value.
 
+It is also possible to store the encrypted blob in a file (useful if the
+value is large) using the `file://` prefix, ie::
+
+  DockerConfig: !kms file://dockercfg
+
+NOTE: Translators resolve the path specified with `file://` relative to
+the location of the config file, not where the stacker command is run.
+
 Docker
 ======
 

diff --git a/stacker/config/translators/base.py b/stacker/config/translators/base.py
@@ -0,0 +1,31 @@
+import os
+
+
+def get_config_directory():
+    """Return the directory the config file is located in.
+
+    This enables us to use relative paths in config values.
+
+    """
+    # avoid circular import
+    from ...commands.stacker import Stacker
+    command = Stacker()
+    namespace = command.parse_args()
+    return os.path.dirname(namespace.config.name)
+
+
+def read_value_from_path(value):
+    """Enables translators to read values from files.
+
+    The value can be referred to with the `file://` prefix. ie:
+
+        conf_key: !kms file://kms_value.txt
+
+    """
+    if value.startswith('file://'):
+        path = value.split('file://', 1)[1]
+        config_directory = get_config_directory()
+        relative_path = os.path.join(config_directory, path)
+        with open(relative_path) as read_file:
+            value = read_file.read()
+    return value
diff --git a/stacker/config/translators/kms.py b/stacker/config/translators/kms.py
@@ -1,6 +1,9 @@
 import base64
+
 import botocore.session
 
+from .base import read_value_from_path
+
 
 def kms_simple_decrypt(value):
     """Decrypt the specified value with a master key in KMS.
@@ -23,9 +26,22 @@ def kms_simple_decrypt(value):
         # In stacker we would reference the encrypted value like:
         conf_key: !kms us-east-1@CiD6bC8t2Y<...encrypted blob...>
 
-        # The above would resolve to
+        You can optionally store the encrypted value in a file, ie:
+
+        kms_value.txt
+        us-east-1@CiD6bC8t2Y<...encrypted blob...>
+
+        and reference it within stacker (NOTE: the path should be relative to
+        the stacker config file):
+
+        conf_key: !kms file://kms_value.txt
+
+        # Both of the above would resolve to
         conf_key: PASSWORD
+
     """
+    value = read_value_from_path(value)
+
     region = 'us-east-1'
     if '@' in value:
         region, value = value.split('@', 1)