| #!/bin/sh |
| |
| # This uses the AWS Secrets Manager using the AWS CLI and OpenSSL. |
| # This stores the AWS secret Id in $DIR. |
| # Do not create any file with extension "wkey" in $DIR; these are |
| # reserved for wrapped data key files. |
| |
| [ "$#" -ne 1 ] && echo "cluster_key_command usage: $0 \"%d\"" 1>&2 && exit 1 |
| # No need for %R or -R since we are not prompting |
| |
| DIR="$1" |
| [ ! -e "$DIR" ] && echo "$DIR does not exist" 1>&2 && exit 1 |
| [ ! -d "$DIR" ] && echo "$DIR is not a directory" 1>&2 && exit 1 |
| |
| # File containing the id of the AWS secret |
| AWS_ID_FILE="$DIR/aws-secret.id" |
| |
| |
| # ---------------------------------------------------------------------- |
| |
| |
| # Create an AWS Secrets Manager secret? |
| if [ ! -e "$AWS_ID_FILE" ] |
| then # The 'postgres' operating system user must have permission to |
| # access the AWS CLI |
| |
| # The epoch-time/directory/hostname combination is unique |
| HASH=$(echo -n "$(date '+%s')$DIR$(hostname)" | sha1sum | cut -d' ' -f1) |
| AWS_SECRET_ID="Postgres-cluster-key-$HASH" |
| |
| # Use stdin to avoid passing the secret on the command line |
| openssl rand -hex 32 | |
| aws secretsmanager create-secret \ |
| --name "$AWS_SECRET_ID" \ |
| --description "Postgres cluster file encryption on $(hostname)" \ |
| --secret-string 'file:///dev/stdin' \ |
| --output text > /dev/null |
| if [ "$?" -ne 0 ] |
| then echo 'cluster key generation failed' 1>&2 |
| exit 1 |
| fi |
| |
| echo "$AWS_SECRET_ID" > "$AWS_ID_FILE" |
| fi |
| |
| if ! aws secretsmanager get-secret-value \ |
| --secret-id "$(cat "$AWS_ID_FILE")" \ |
| --output text |
| then echo 'cluster key retrieval failed' 1>&2 |
| exit 1 |
| fi | awk -F'\t' 'NR == 1 {print $4}' |
| |
| exit 0 |
