When I do this:

shush exec ls -la

I get

Incorrect Usage: flag provided but not defined: -la

NAME:
   shush exec - Execute a command

USAGE:
   shush exec [command options] [arguments...]

OPTIONS:
   --prefix value  environment variable prefix (default: "KMS_ENCRYPTED_")

I would expect shush to know that any command-line options passed after the command belong to the command and not to shush itself.

i.e. I would expect shush exec ls -la to do the same as shush exec -- ls -la

Hi @mdub we are using shush inside a ecs task container and it does not seem to be able to get access to what that ecs task role allows.

I know from previous attempts that if the AWS SDK is not new enough, ecs task roles are not supported. Do you know if the go AWS SDK support ecs tasks roles? Have you or anyone else had luck with sush 1.3.0 and ecs task roles?

Version 1.4.0 added the feature 'Allows aliases to be specified without alias/, saving those precious key-strokes'. The documentation says 'KEY-ID-OR-ALIAS can be the id or ARN of a KMS master key'. However, now the syntax that I am using in version 1.3.4, arn:aws:kms:<region>:<accid>:key/<key-id> no longer works, saying it is an invalid alias. <key-id> by itself works fine but I prefer to just copy the whole ARN from the KMS console. This means that key now can be id or alias but not ARN so this must be a regression.

I think the problem is that the newly added line main.go/50 assumes the key is either a UUID or alias but forgets about ARN.

Hey folks, i'm investigating moving some of our workload to AWS Graviton (aka arm64) instances, and we use Dockerised shush a lot.

I grabbed a checkout this repo master and did a docker build . on an arm64 instance, and it all worked perfectly. I could contribute a patch at some point but i thought i'd make this issue as a reminder/placeholder. Also, i'm unfamiliar with REA's build pipeline which makes it a bit harder since i think the big change will be there.

Thanks for providing this tool! 🙌

This would be really useful when working outside AWS.

Hi there,

I was wondering whether it would be possible for checksums to be provided with Shush releases so that we're able to verify the contents before using the binary.

Kind of similar to this project: https://github.com/weaveworks/eksctl/releases

Our security team gave us a recommendation that we should verify the contents of binaries prior to making them widely available within our organisation.

Thank you so much for Shush, we use it everyday and we love it ❤️

It is quite common to pipe a string to shush encrypt via echo and forget the -n. It'd be nice to DWIM in this scenario, perhaps with a warning.

I understand this changes behaviour and it would now be impossible to encrypt a string with a newline on the end. We could cross that bridge when it comes, or add in a flag, or not chomp but just print the warning, or document it and you could put 2 newlines to get 1 newline in there 😄

When I run the following command:

shush encrypt --region ap-southeast-2 key-id

I get a message on STDOUT informing me my usage is incorrect. This text should go on STDERR.

Also the command returns with a success exit status code, so I didn't pick up the error until later.

Amazon now supports assigning roles to Kubernetes service accounts via AssumeRoleWithWebIdentity, but this requires version 1.23.13 of the Go AWS library.

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

Looking at docker hub, the image has grown from 5MB when we first started using it to 160MB at the last release. That seems unintentional.

Hello,

I'm using shush_linux_amd64 version 1.4.X on the latest amazonlinux:latest docker image and have noticed that decryption takes roughly 20 seconds on a container with 2cpu 4GB memory. Version 1.3.4 returns a result instantly.

Test steps:

• shush encrypt KEY-ID "Test" > encrypted
• shush decrypt < encrypted

Timings:

v1.3.4

real	0m0.063s
user	0m0.031s
sys	0m0.004s

v1.4.0

real	0m20.400s
user	0m0.046s
sys	0m0.000s

v1.4.1

real	0m20.394s
user	0m0.037s
sys	0m0.008s

What are shush's core dependencies? Perhaps I need to update those in my docker image.

Thank you

This would make working with this codebase much easier.

I apologise upfront if i'm being dense, because i'm not much of a Golang programmer. I am on macOS 10.14.6 and used Homebrew to brew install go (gives me Golang 1.14), and when that didn't work, brew install [email protected].

In both cases, running the recommended go get github.com/realestate-com-au/shush gives these errors:

# github.com/realestate-com-au/shush
go/src/github.com/realestate-com-au/shush/main.go:22:22: cannot use cli.StringSliceFlag literal (type cli.StringSliceFlag) as type cli.Flag in array or slice literal:
	cli.StringSliceFlag does not implement cli.Flag (Apply method has pointer receiver)
go/src/github.com/realestate-com-au/shush/main.go:25:4: unknown field 'EnvVar' in struct literal of type cli.StringSliceFlag
go/src/github.com/realestate-com-au/shush/main.go:27:17: cannot use cli.StringFlag literal (type cli.StringFlag) as type cli.Flag in array or slice literal:
	cli.StringFlag does not implement cli.Flag (Apply method has pointer receiver)
go/src/github.com/realestate-com-au/shush/main.go:30:4: unknown field 'EnvVar' in struct literal of type cli.StringFlag
go/src/github.com/realestate-com-au/shush/main.go:39:17: cannot use cli.BoolFlag literal (type cli.BoolFlag) as type cli.Flag in array or slice literal:
	cli.BoolFlag does not implement cli.Flag (Apply method has pointer receiver)
go/src/github.com/realestate-com-au/shush/main.go:44:4: cannot use func literal (type func(*cli.Context)) as type cli.ActionFunc in field value
go/src/github.com/realestate-com-au/shush/main.go:45:11: invalid argument c.Args() (type cli.Args) for len
go/src/github.com/realestate-com-au/shush/main.go:57:7: c.GlobalString undefined (type *cli.Context has no field or method GlobalString)
go/src/github.com/realestate-com-au/shush/main.go:58:7: c.GlobalStringSlice undefined (type *cli.Context has no field or method GlobalStringSlice)
go/src/github.com/realestate-com-au/shush/main.go:63:46: cannot slice c.Args() (type cli.Args)
go/src/github.com/realestate-com-au/shush/main.go:44:4: too many errors

Am i doing something wrong?

G'day! I'm opening this issue as a bit of a straw man discussion spot, because while i'm happy to provide a PR, i'd like to discuss the problem and some potential improvements with maintainers first.

The problem

Basically, colleagues often get bitten by the following (probably extremely well-known) issue:

$ echo "MYT0K3N" | shush encrypt alias/foo

Forgetting echo -n or shush encrypt --trim leaves one with an encrypted token that isn't accepted by a lot of programs, due to the trailing newline. The feedback cycle tends to be slow and annoying because it'll only get noticed when the app is deployed and tries to use the secret.

Some potential improvements

1. Warn clearly on stderr, when encrypting, if input != trim(input). This might be a spurious warning, but i can't think of many instances where you really need surrounding whitespace.
2. Be a bit smarter when decrypting. This one might be a bit more controversial because it's a behavioural change – but hear me out 😅. I believe it'd be reasonable to special-case a trailing \n when decrypting. I would distinguish two cases:
   a. The trailing character is \n, and the string contains no other whitespace characters. In this case, trim the \n.
   b. The trailing character is \n, but there are whitespace characters elsewhere in the string too. In this case, return the string verbatim.

Especially for 2 i could imagine it'd be worth making a clear note in the CHANGELOG and bumping at least the minor version, perhaps also adding a flag to keep old behaviour. My belief is that in 99.99% of cases approach 2 would be perfectly fine, but i'm keen to hear if the maintainers are more creative than i in coming up with edge-cases that make this undesirable.

Option 1 though i imagine could be implemented today with little concern, right?