xbrianh/migrate_secrets.py

## migrate_secrets.py
#!/usr/bin/env python
"""
This script migrates gs-event-relay AWS IAM user credentials from the AWS Systems Manager
parameter store to the Secrets Manager store, and tests that the credentials are valid.
It should be placed in $DSS_HOME/scripts before execution.
- Brian Hannafious, 29-May, 2018
"""
import os
import json
import boto3
import subprocess

def get_parameter_value(name):
    return boto3.client("ssm").get_parameter(
        Name=f"/dss/parameters/{name}",
        WithDecryption=True,
    )['Parameter']['Value']

def set_secret_value(name, info):
    subprocess.run(
        [
            os.path.join(os.path.dirname(__file__), "set_secret.py"),
            "--secret-name",
            f"{name}"
        ],
        input=json.dumps(info).encode("utf-8")
    )

aws_access_key_id = get_parameter_value("event_relay_aws_access_key_id")
aws_secret_access_key = get_parameter_value("event_relay_aws_secret_access_key")
set_secret_value(
    os.environ['EVENT_RELAY_AWS_ACCESS_KEY_SECRETS_NAME'],
    {
        'AccessKey': {
            'AccessKeyId': aws_access_key_id,
            'SecretAccessKey': aws_secret_access_key,
        }
    }
)

# Test credential recovery and validity
access_key_json = boto3.client("secretsmanager").get_secret_value(
    SecretId= "{}/{}/{}".format(
        os.environ['DSS_SECRETS_STORE'],
        os.environ['DSS_DEPLOYMENT_STAGE'],
        os.environ['EVENT_RELAY_AWS_ACCESS_KEY_SECRETS_NAME'],
    )
)['SecretString']
access_key_info = json.loads(access_key_json)

access_key_id = access_key_info['AccessKey']['AccessKeyId']
secret_access_key = access_key_info['AccessKey']['SecretAccessKey']

sns_client = boto3.client("sns")
topic_arn = sns_client.create_topic(Name="secrets-migration-test-topic")['TopicArn']
resp = boto3.client("sns", aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key).publish(
    TopicArn=topic_arn,
    Message="nothing interesting"
)
sns_client.delete_topic(TopicArn=topic_arn)
	#!/usr/bin/env python
	"""
	This script migrates gs-event-relay AWS IAM user credentials from the AWS Systems Manager
	parameter store to the Secrets Manager store, and tests that the credentials are valid.
	It should be placed in $DSS_HOME/scripts before execution.
	- Brian Hannafious, 29-May, 2018
	"""
	import os
	import json
	import boto3
	import subprocess

	def get_parameter_value(name):
	return boto3.client("ssm").get_parameter(
	Name=f"/dss/parameters/{name}",
	WithDecryption=True,
	)['Parameter']['Value']

	def set_secret_value(name, info):
	subprocess.run(
	[
	os.path.join(os.path.dirname(__file__), "set_secret.py"),
	"--secret-name",
	f"{name}"
	],
	input=json.dumps(info).encode("utf-8")
	)

	aws_access_key_id = get_parameter_value("event_relay_aws_access_key_id")
	aws_secret_access_key = get_parameter_value("event_relay_aws_secret_access_key")
	set_secret_value(
	os.environ['EVENT_RELAY_AWS_ACCESS_KEY_SECRETS_NAME'],
	{
	'AccessKey': {
	'AccessKeyId': aws_access_key_id,
	'SecretAccessKey': aws_secret_access_key,
	}
	}
	)

	# Test credential recovery and validity
	access_key_json = boto3.client("secretsmanager").get_secret_value(
	SecretId= "{}/{}/{}".format(
	os.environ['DSS_SECRETS_STORE'],
	os.environ['DSS_DEPLOYMENT_STAGE'],
	os.environ['EVENT_RELAY_AWS_ACCESS_KEY_SECRETS_NAME'],
	)
	)['SecretString']
	access_key_info = json.loads(access_key_json)

	access_key_id = access_key_info['AccessKey']['AccessKeyId']
	secret_access_key = access_key_info['AccessKey']['SecretAccessKey']

	sns_client = boto3.client("sns")
	topic_arn = sns_client.create_topic(Name="secrets-migration-test-topic")['TopicArn']
	resp = boto3.client("sns", aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key).publish(
	TopicArn=topic_arn,
	Message="nothing interesting"
	)
	sns_client.delete_topic(TopicArn=topic_arn)