Decrypt KMS encrypted values in config files

Usage no npm install needed!

<script type="module">
  import seekKmsConfig from 'https://cdn.skypack.dev/@seek/kms-config';


config ⇒ Promise

Decrypt KMS encrypted values in config files. This tool is optimised for use in node 4.3.2 AWS Lambda functions but should work in any modern node runtime.


npm install --save @seek/kms-config


The user that is running the lambda will need kms:Decrypt permission to the master key used for generating the ciphertext. Warning* To reduce KMS overhead you should just call this once and cache the result if possible.


    "foo" : "bar",
    "kms" { //All the values in this object are expected to be KMS ciphertext 
        "secretToHappiness" : "base64_encoded_ciphertext"


const myConfig = require('./myConfig')
const config  = require('@seek/kms-config')(myConfig)

config.then(resolved => {
    console.log(resolved.foo) // "bar"
    console.log(resolved.kms.secretToHappiness) // "eat more chocolate"
}).catch(err => {
    console.log(err, "Oh dear perhaps you are missing KMS permissions")

Returns: Promise - A promise to the loaded config which will be resolved with all kms values decrypted.

Param Type Description
config Object A config object which may contain a child kms object who's values are KMS ciphertext