Chamber Cheat Sheet
Overview
Chamber is a tool for managing secrets by storing them in AWS Systems Manager Parameter Store. It provides a CLI interface for writing, reading, listing, and injecting secrets as environment variables into application processes. Chamber organizes secrets by service name, making it easy to manage configuration across multiple applications and environments.
Chamber uses AWS SSM Parameter Store as its backend, which provides encryption at rest via AWS KMS, access control via IAM policies, audit logging via CloudTrail, and versioning. It is a simple, secure alternative to managing .env files or hardcoded secrets.
Installation
# macOS
brew install chamber
# Linux (download binary)
curl -LO https://github.com/segmentio/chamber/releases/latest/download/chamber-v2-linux-amd64
chmod +x chamber-v2-linux-amd64
sudo mv chamber-v2-linux-amd64 /usr/local/bin/chamber
# Go install
go install github.com/segmentio/chamber/v2@latest
# Verify
chamber versionPrerequisites
# AWS credentials must be configured
aws configure
# or
export AWS_REGION=us-east-1
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
# Ensure KMS key exists (or use aws/ssm default)
export CHAMBER_KMS_KEY_ALIAS=aws/ssmCore Commands
| Command | Description |
|---|---|
chamber write <svc> <key> <val> | Write a secret |
chamber write <svc> <key> - | Write from stdin |
chamber read <svc> <key> | Read a secret |
chamber list <svc> | List secrets for a service |
chamber list-services | List all services |
chamber exec <svc> -- <cmd> | Run command with secrets as env vars |
chamber export <svc> | Export secrets as JSON/dotenv |
chamber delete <svc> <key> | Delete a secret |
chamber history <svc> <key> | Show version history |
chamber find <key> | Find a key across services |
Secret Management
Writing Secrets
# Write a secret
chamber write myapp database-url "postgres://user:pass@db:5432/myapp"
chamber write myapp api-key "sk-abc123"
chamber write myapp redis-url "redis://cache:6379"
# Write from stdin (for multiline/sensitive values)
echo "my-secret-value" | chamber write myapp secret-key -
cat private.pem | chamber write myapp tls-key -
# Write with specific KMS key
CHAMBER_KMS_KEY_ALIAS=my-key chamber write myapp secret "value"Reading Secrets
# Read a specific secret
chamber read myapp database-url
# Read quiet (value only)
chamber read -q myapp database-url
# List all secrets for a service
chamber list myapp
# List all services
chamber list-servicesExporting Secrets
# Export as JSON
chamber export myapp
# Export as dotenv format
chamber export --format dotenv myapp
# Export as CSV
chamber export --format csv myapp
# Export to file
chamber export --format dotenv myapp > .env
# Export multiple services
chamber export myapp shared-configRunning Commands with Secrets
# Inject secrets as environment variables
chamber exec myapp -- node server.js
# Multiple services (merged)
chamber exec myapp shared -- python app.py
# Secrets become uppercase env vars:
# database-url -> DATABASE_URL
# api-key -> API_KEY
# redis-url -> REDIS_URL
# Run with specific service and shared secrets
chamber exec production/myapp production/shared -- ./start.shConfiguration
Service Naming Convention
# Environment-based naming
chamber write staging/myapp database-url "postgres://staging-db/myapp"
chamber write production/myapp database-url "postgres://prod-db/myapp"
# Shared secrets across services
chamber write shared api-gateway-url "https://gateway.example.com"
chamber write shared logging-endpoint "https://logs.example.com"
# Per-team organization
chamber write team-platform/redis host "redis.internal"
chamber write team-platform/postgres host "postgres.internal"Environment Variables
# Custom KMS key
export CHAMBER_KMS_KEY_ALIAS=alias/my-custom-key
# Custom AWS region
export CHAMBER_AWS_REGION=eu-west-1
# Backend selection (ssm or s3)
export CHAMBER_STORE=ssm
# SSM path prefix (default: /)
export CHAMBER_SSM_PREFIX=/mycompanyIAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-1:123456789:parameter/myapp/*"
},
{
"Effect": "Allow",
"Action": ["kms:Decrypt"],
"Resource": "arn:aws:kms:us-east-1:123456789:key/abc-123"
}
]
}Advanced Usage
Docker Integration
# Use chamber in Docker entrypoint
FROM alpine
RUN apk add --no-cache curl && \
curl -LO https://github.com/segmentio/chamber/releases/latest/download/chamber-v2-linux-amd64 && \
mv chamber-v2-linux-amd64 /usr/local/bin/chamber && \
chmod +x /usr/local/bin/chamber
ENTRYPOINT ["chamber", "exec", "myapp", "--"]
CMD ["node", "server.js"]ECS/Kubernetes Integration
# Kubernetes - init container pattern
initContainers:
- name: secrets
image: segment/chamber:2
command: ["chamber", "export", "myapp", "--format", "dotenv"]
volumeMounts:
- name: secrets
mountPath: /secrets
env:
- name: AWS_REGION
value: us-east-1Version History
# View secret history
chamber history myapp database-url
# All versions are retained in SSM Parameter Store
# Rollback by writing the previous valueBulk Operations
# Import from dotenv file
while IFS='=' read -r key value; do
[[ "$key" =~ ^#.*$ ]] && continue
[[ -z "$key" ]] && continue
chamber write myapp "$key" "$value"
done < .env
# Copy secrets between services
chamber export staging/myapp --format json | \
jq -r 'to_entries[] | "\(.key) \(.value)"' | \
while read key value; do
chamber write production/myapp "$key" "$value"
doneTroubleshooting
| Issue | Solution |
|---|---|
| Access denied | Check IAM policy for SSM and KMS permissions |
| KMS key not found | Set CHAMBER_KMS_KEY_ALIAS or create the key |
| Secret not found | Verify service name and key; check region |
| Env vars not injected | Keys with hyphens become underscored uppercase |
| Slow list operations | Use specific service names instead of broad queries |
| Rate limiting | Implement retry logic; batch operations |
# Debug: check AWS config
aws sts get-caller-identity
aws ssm get-parameters-by-path --path /myapp/ --recursive
# Verify KMS key
aws kms describe-key --key-id alias/aws/ssm
# Check parameter store directly
aws ssm get-parameter --name /myapp/database-url --with-decryption