Flask application for sharing secrets using AWS Secrets Manager
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
lza_menace 90ac9b3833 bump version, update dependencies (replace flask_restplus) 3 years ago
bin init 5 years ago
secretshare bump version, update dependencies (replace flask_restplus) 3 years ago
.gitignore init 5 years ago
LICENSE.txt init 5 years ago
Makefile add makefile to automate some commands 3 years ago
README.md removing todo item from readme 5 years ago
setup.py bump version, update dependencies (replace flask_restplus) 3 years ago
zappa_settings.example.json add cors to example conf 5 years ago




This project uses the Flask web framework in conjunction with Flask-RESTPlus and Boto3 to offer a very simple REST API for creating secrets on AWS Secrets Manager.

It's intended to be used as a way to share secrets over various means of communication (email, chat, text, etc). The use case is similar to several other open source projects:

However, this application fully supports serverless AWS architecture - API Gateway and Lambda - using Zappa.



In order for this application to work, you will need an active AWS account, AWSCLI installed to your local machine, and an administrative IAM key pair configured in any AWSCLI profile.


This is a Python project and requires version >=3.6.0. There are many ways to setup a development environment in Python, the most common one probably looks like this:

$ python3 -m venv .venv
$ source .venv/bin/activate
$ pip install .


I've provided an example config, which is almost good to go, but you'll need to specify an S3 bucket for Zappa to upload files to (it generates this for you). Keep in mind, S3 bucket names are global - there cannot be more than one bucket of the same name for the world. Make it really random. Also, check the other settings to ensure they are what you want, primarily aws_region and profile_name.

Copy the example Zappa config to zappa_settings.json and edit the above values.

$ cp zappa_settings.{example.json,json}
$ vim zappa_settings.json


Last thing, the application has a simple configuration file which sets some defaults like the app name and default expiration time.

Copy the example config file to config.py and make any modifications if you'd like to change them.

$ cp secretshare/config.{example.py,py}
$ vim secretshare/config.py

Running Locally

If you'd like to develop and play around first, you can run a local web server to interact with the application without deploying it to AWS. To do so, drop into your virtual environment and run the Flask web server:

$ source .venv/bin/activate
$ export FLASK_APP=secretshare/app.py
$ export FLASK_SECRETS=config.py
$ export FLASK_DEBUG=1
$ flask run

With debug mode enabled you will be able to modify files and have Flask automatically reload the changes. Assuming everything is setup properly, you should be able to interact with the API. I like curl:

# POST a new secret
$ curl \
    -X POST \
    -H "Content-Type: application/json" \
    -d "{\"username\": \"lance\",  \"password\": \"TopS3cr3t1\"}"

  "token": "tpXv-Pk3W1lZJzY5v-6oEU8029IublWHjSs3BzbETW4"

# GET an existing secret
$ curl

  "username": "lance",
  "password": "TopS3cr3t1",
  "expiration": "2019-02-26T09:46:49.790153+00:00"

By nature of using Flask-RESTPlus there is some Swagger documentation that is automatically generated. You can view it in your browser:

Deploying to AWS

As long as you're setup properly you can deploy to AWS using Zappa.

$ zappa deploy

When the deployment is finished you will be provided a new AWS API Gateway endpoint; something like https://2rdpleh3tf.execute-api.us-west-2.amazonaws.com/dev. You can validate the endpoint by running the same curl commands as above but replacing the endpoint with your API Gateway.

Part of the Zappa configuration includes a recurring event; every 12 hours a Lambda function is scanning all secrets and purging expired secrets. If no expiration was set during secret creation then the application defaults to 1 hour expiration; this can be changed in secretshare/config.py. The tag set on the secret is the basis for this expiration check.

If you'd like to cleanup the secrets manually, you can invoke the Lambda function manually with Zappa:

$ zappa invoke secretshare.cleanup.purge_expired_secrets

What Now?

Most people don't necessarily care about the backend API - this is only one half of the battle as we need something to present the information. This API can be used in conjunction with any static website with simple Javascript for posting, retrieving, and rendering the data.

Here's an example one: secretshare-static