Connect to CipherStash
In order to connect and use CipherStash, you will need the following parameters (we will provide these to you when you sign up).
Parameter
Purpose
clientId
Your OAuth2 client authentication ID
clientSecret
Corresponding OAuth2 secret - keep this secret!
cmk
The ID of your cluster master key (note that this is just the ID, not the key itself)
IdentityPoolId
AWS Identity pool used for KMS access - this will be provided to you
idpHost
The OAuth2 authentication host (Only idp.stashdata.net is supported at the moment)
region
AWS region (must be ap-southeast-2 during the private beta)

Opening a Connection

CipherStash uses OAuth 2.0 to authenticate client access. In its most basic form, this uses the CipherStash managed authentication provider running in machine-to-machine mode. Several other architectures will be possible in the future.
To authenticate, you must call Stash.connect(config: StashConfig) by passing a configuration object with your credentials. The StashConfig object looks like this:
TypeScript
1
type StashConfig = {
2
idpHost: string,
3
clientCredentials: {
4
clientSecret: string
5
clientId: string,
6
},
7
federationConfig: {
8
IdentityPoolId: string,
9
region: string,
10
}
11
serviceFqdn: string,
12
cmk: string,
13
clusterId: string
14
}
Copied!
Alternatively, the Stash.loadConfigFromEnv() helper can be used to read configuration values from environment variables and return a StashConfig object.
TypeScript
JavaScript
1
import { Stash } from '@cipherstash/stashjs'
2
3
// Option 1: use the helper to read config from the environment
4
const stash = await Stash.connect(Stash.loadConfigFromEnv())
5
6
// Option 2: manually instantiate a StashConfig object
7
const stash = await Stash.connect({
8
idpHost: "...",
9
clientCredentials: {
10
clientSecret: "..."
11
clientId: "...",
12
},
13
federationConfig: {
14
IdentityPoolId: "...",
15
region: "...",
16
}
17
serviceFqdn: "...",
18
cmk: "...",
19
clusterId: "..."
20
})
Copied!
1
import { Stash } from '@cipherstash/stashjs'
2
3
// Option 1: use the helper to read config from the environment
4
const stash = await Stash.connect(Stash.loadConfigFromEnv())
5
6
// Option 2: manually instantiate a StashConfig object
7
const stash = await Stash.connect({
8
idpHost: "...",
9
clientCredentials: {
10
clientSecret: "..."
11
clientId: "...",
12
},
13
federationConfig: {
14
IdentityPoolId: "...",
15
region: "...",
16
}
17
serviceFqdn: "...",
18
cmk: "...",
19
clusterId: "..."
20
})
Copied!

Environment variables

If you use the Stash.loadConfigFromEnv() helper then the following environment variables must be available:
    CS_CLIENT_ID
    CS_SECRET
    CS_FEDERATED_IDENTITY_ID
    CS_DEV_CMK
    CS_IDP_HOST
    CS_SERVICE_FQDN

Don't Reuse Client Credentials

Each client that connects to a CipherStash instance should have its own client_id and client_secret. For example, if you have two different micro-services that connect to the same instance, they should each have separate credentials (possibly with different permissions).
If you need another set of credentials, please contact [email protected].
Last modified 2mo ago