README
¶
suve
[!NOTE] This project was written by AI (Claude Code).
A Git-like CLI for AWS Parameter Store and Secrets Manager. Familiar commands like show, log, diff, and a staging workflow for safe, reviewable changes.
Features
- Git-like commands:
show,log,diff,ls,set,rm - Staging workflow:
edit→status→diff→apply(review changes before applying) - Version navigation:
#VERSION,~SHIFT,:LABELsyntax - Colored diff output: Easy-to-read unified diff format
- Both services: SSM Parameter Store and Secrets Manager
Installation
Using Homebrew (macOS/Linux)
brew install mpyw/tap/suve
Using go install
go install github.com/mpyw/suve/cmd/suve@latest
Using go tool (Go 1.24+)
# Add to go.mod as a tool dependency
go get -tool github.com/mpyw/suve/cmd/suve@latest
# Run via go tool
go tool suve param show /my/param
[!TIP] Using with aws-vault: Wrap commands with
aws-vault execfor temporary credentials:aws-vault exec my-profile -- suve param show /my/param
Getting Started
Basic Commands
user@host:~$ suve param show /app/config/database-url
Name: /app/config/database-url
Version: 3
Type: SecureString
Modified: 2024-01-15T10:30:45Z
postgres://db.example.com:5432/myapp
user@host:~$ suve param show --raw /app/config/database-url
postgres://db.example.com:5432/myapp
The show command displays value with metadata; --raw outputs raw value for piping:
# Use in scripts
DB_URL=$(suve param show --raw /app/config/database-url)
# Pipe to file
suve param show --raw /app/config/ssl-cert > cert.pem
Version History with log
View version history, just like git log:
user@host:~$ suve param log /app/config/database-url
Version 3 (current)
Date: 2024-01-15T10:30:45Z
postgres://db.example.com:5432/myapp...
Version 2
Date: 2024-01-14T09:20:30Z
postgres://old-db.example.com:5432/myapp...
Version 1
Date: 2024-01-13T08:10:00Z
postgres://localhost:5432/myapp...
Use --patch to see what changed in each version:
user@host:~$ suve param log --patch /app/config/database-url
Output will look like:
Version 3 (current)
Date: 2024-01-15T10:30:45Z
--- /app/config/database-url#2
+++ /app/config/database-url#3
@@ -1 +1 @@
-postgres://old-db.example.com:5432/myapp
+postgres://db.example.com:5432/myapp
Version 2
Date: 2024-01-14T09:20:30Z
--- /app/config/database-url#1
+++ /app/config/database-url#2
@@ -1 +1 @@
-postgres://localhost:5432/myapp
+postgres://old-db.example.com:5432/myapp
[!TIP] Add
--parse-jsonto pretty-print JSON values before diffing. This normalizes formatting and sorts keys alphabetically, so you can focus on the actual content changes rather than formatting differences:suve param log --patch --parse-json /app/config/credentials
Comparing Versions with diff
Compare previous version with latest (most common use case):
user@host:~$ suve param diff /app/config/database-url~
Output will look like:
--- /app/config/database-url#2
+++ /app/config/database-url#3
@@ -1 +1 @@
-postgres://old-db.example.com:5432/myapp
+postgres://db.example.com:5432/myapp
Compare any two specific versions:
user@host:~$ suve param diff /app/config/database-url#1 /app/config/database-url#3
Output will look like:
--- /app/config/database-url#1
+++ /app/config/database-url#3
@@ -1 +1 @@
-postgres://localhost:5432/myapp
+postgres://db.example.com:5432/myapp
Staging Workflow
[!NOTE] The staging workflow lets you prepare changes locally, review them, and apply when ready—just like
git add→git diff --staged→git commit.
[!CAUTION] Staged values are stored in plain text at
~/.suve/stage.json. If you no longer need pending changes, runsuve stage reset --allto clear them.
1. Stage changes (opens editor or accepts value directly):
[!TIP] To use VSCode or Cursor as your editor, set
export VISUAL='code --wait'orexport VISUAL='cursor --wait'in your shell profile.
user@host:~$ suve stage param add /app/config/new-param "my-value"
✓ Staged for creation: /app/config/new-param
user@host:~$ suve stage param edit /app/config/database-url
✓ Staged: /app/config/database-url
user@host:~$ suve stage param delete /app/config/old-param
✓ Staged for deletion: /app/config/old-param
2. Review staged changes:
user@host:~$ suve stage status
Staged SSM changes (3):
A /app/config/new-param
M /app/config/database-url
D /app/config/old-param
user@host:~$ suve stage diff
Output will look like:
--- /app/config/database-url#3 (AWS)
+++ /app/config/database-url (staged)
@@ -1 +1 @@
-postgres://db.example.com:5432/myapp
+postgres://new-db.example.com:5432/myapp
--- /app/config/new-param (not in AWS)
+++ /app/config/new-param (staged for creation)
@@ -0,0 +1 @@
+my-value
3. Apply changes:
user@host:~$ suve stage apply
Applying SSM Parameter Store parameters...
✓ Created /app/config/new-param
✓ Updated /app/config/database-url
✓ Deleted /app/config/old-param
Reset if needed:
# Unstage specific parameter
suve stage param reset /app/config/database-url
# Unstage all
suve stage reset --all
[!TIP]
suve stage applyprompts for confirmation before applying. Use--yesto skip the prompt.
Version Specification
Navigate versions with Git-like syntax.
SSM Parameter Store
[!NOTE] SSM Parameter Store uses numeric version numbers (1, 2, 3, ...) that auto-increment on each update.
<name>[#VERSION][~SHIFT]*
where ~SHIFT = ~ | ~N (repeatable, cumulative)
| Syntax | Description |
|---|---|
/my/param |
Latest version |
/my/param#3 |
Version 3 |
/my/param~1 |
1 version ago |
/my/param#5~2 |
Version 5 minus 2 = Version 3 |
/my/param~~ |
2 versions ago (~1~1) |
Secrets Manager
[!NOTE] Secrets Manager uses UUID version IDs and staging labels instead of numeric versions.
AWSCURRENTandAWSPREVIOUSare special labels automatically managed by AWS—AWSCURRENTalways points to the latest version.
<name>[#VERSION | :LABEL][~SHIFT]*
where ~SHIFT = ~ | ~N (repeatable, cumulative)
| Syntax | Description |
|---|---|
my-secret |
Current (AWSCURRENT) |
my-secret:AWSPREVIOUS |
Previous staging label |
my-secret#abc123 |
Specific version ID |
my-secret~1 |
1 version ago |
[!IMPORTANT] When specifying version-only syntax like
'#3'or':AWSPREVIOUS', you must use quotes to prevent shell interpretation of the#(comment) or:characters.
[!TIP]
~without a number means~1. You can chain them:~~=~1~1=~2
Command Reference
Services
| Service | Aliases |
|---|---|
| SSM Parameter Store | param, ssm, ps |
| Secrets Manager | secret, sm |
SSM Parameter Store
| Command | Options | Description |
|---|---|---|
suve param show |
--raw--parse-json (-j)--no-pager--output=<FORMAT> |
Display parameter with metadata |
suve param log |
--number=<N> (-n)--patch (-p)--parse-json (-j)--oneline--reverse--since=<DATE>--until=<DATE>--no-pager--output=<FORMAT> |
Show version history |
suve param diff |
--parse-json (-j)--no-pager--output=<FORMAT> |
Compare versions |
suve param list |
--recursive (-R)--filter=<REGEX>--show--output=<FORMAT> |
List parameters |
suve param set |
--type=<TYPE>--secure--description=<TEXT>--tag=<KEY>=<VALUE> --tag=...--untag=<KEY> --untag=...--yes |
Create or update parameter |
suve param delete |
--yes |
Delete parameter |
Staging commands (under suve stage param):
| Command | Options | Description |
|---|---|---|
suve stage param add |
--description=<TEXT>--tag=<KEY>=<VALUE> --tag=... |
Stage new parameter |
suve stage param edit |
--description=<TEXT>--tag=<KEY>=<VALUE> --tag=... |
Stage modification |
suve stage param delete |
Stage deletion | |
suve stage param status |
--verbose (-v) |
Show staged changes |
suve stage param diff |
--parse-json (-j)--no-pager |
Compare staged vs AWS |
suve stage param apply |
--yes--ignore-conflicts |
Apply staged changes |
suve stage param reset |
--all |
Unstage changes |
Secrets Manager
| Command | Options | Description |
|---|---|---|
suve secret show |
--raw--parse-json (-j)--no-pager--output=<FORMAT> |
Display secret with metadata |
suve secret log |
--number=<N> (-n)--patch (-p)--parse-json (-j)--oneline--reverse--since=<DATE>--until=<DATE>--no-pager--output=<FORMAT> |
Show version history |
suve secret diff |
--parse-json (-j)--no-pager--output=<FORMAT> |
Compare versions |
suve secret list |
--filter=<REGEX>--show--output=<FORMAT> |
List secrets |
suve secret create |
--description=<TEXT>--tag=<KEY>=<VALUE> --tag=... |
Create new secret |
suve secret update |
--description=<TEXT>--tag=<KEY>=<VALUE> --tag=...--untag=<KEY> --untag=...--yes |
Update existing secret |
suve secret delete |
--force--recovery-window=<DAYS>--yes |
Delete secret |
suve secret restore |
Restore deleted secret |
Staging commands (under suve stage secret):
| Command | Options | Description |
|---|---|---|
suve stage secret add |
--description=<TEXT>--tag=<KEY>=<VALUE> --tag=... |
Stage new secret |
suve stage secret edit |
--description=<TEXT>--tag=<KEY>=<VALUE> --tag=... |
Stage modification |
suve stage secret delete |
--force--recovery-window=<DAYS> |
Stage deletion |
suve stage secret status |
--verbose (-v) |
Show staged changes |
suve stage secret diff |
--parse-json (-j)--no-pager |
Compare staged vs AWS |
suve stage secret apply |
--yes--ignore-conflicts |
Apply staged changes |
suve stage secret reset |
--all |
Unstage changes |
Global Stage Commands
| Command | Options | Description |
|---|---|---|
suve stage status |
--verbose (-v) |
Show all staged changes |
suve stage diff |
--parse-json (-j)--no-pager |
Compare all staged vs AWS |
suve stage apply |
--yes--ignore-conflicts |
Apply all staged changes |
suve stage reset |
--all |
Unstage all changes |
Environment Variables
Timezone
suve respects the TZ environment variable for date/time formatting:
# Show times in UTC
TZ=UTC suve param show /app/config
# Show times in Japan Standard Time
TZ=Asia/Tokyo suve param show /app/config
All timestamps are formatted in RFC3339 format with the local timezone offset applied. If TZ is not set, the system's local timezone is used. Invalid timezone values fall back to UTC.
AWS Configuration
suve uses standard AWS SDK configuration:
Authentication (in order of precedence):
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN) - Shared credentials file (
~/.aws/credentials) - IAM role (EC2, ECS, Lambda)
Region:
AWS_REGIONorAWS_DEFAULT_REGIONenvironment variable~/.aws/configfile
[!WARNING] Ensure your IAM role/user has appropriate permissions:
- SSM:
ssm:GetParameter,ssm:GetParameterHistory,ssm:PutParameter,ssm:DeleteParameter,ssm:DescribeParameters,ssm:AddTagsToResource,ssm:RemoveTagsFromResource- SM:
secretsmanager:GetSecretValue,secretsmanager:ListSecretVersionIds,secretsmanager:ListSecrets,secretsmanager:CreateSecret,secretsmanager:PutSecretValue,secretsmanager:UpdateSecret,secretsmanager:DeleteSecret,secretsmanager:RestoreSecret,secretsmanager:TagResource,secretsmanager:UntagResource
Development
# Run tests
make test
# Run linter
make lint
# Build CLI
make build
# Run E2E tests (requires Docker)
make e2e
# Coverage (unit + E2E combined)
make coverage-all
License
MIT License
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
suve
command
|
|
|
internal
|
|
|
api/paramapi
Package paramapi provides interfaces for AWS Systems Manager Parameter Store.
|
Package paramapi provides interfaces for AWS Systems Manager Parameter Store. |
|
api/secretapi
Package secretapi provides interfaces for AWS Secrets Manager.
|
Package secretapi provides interfaces for AWS Secrets Manager. |
|
cli/colors
Package colors provides pre-configured color functions for CLI output.
|
Package colors provides pre-configured color functions for CLI output. |
|
cli/commands
Package commands provides the command-line interface for suve.
|
Package commands provides the command-line interface for suve. |
|
cli/commands/internal
Package internal provides shared utilities for CLI commands.
|
Package internal provides shared utilities for CLI commands. |
|
cli/commands/param/delete
Package delete provides the SSM Parameter Store delete command.
|
Package delete provides the SSM Parameter Store delete command. |
|
cli/commands/param/diff
Package diff provides the SSM Parameter Store diff command for comparing parameter versions.
|
Package diff provides the SSM Parameter Store diff command for comparing parameter versions. |
|
cli/commands/param/list
Package list provides the SSM Parameter Store list command.
|
Package list provides the SSM Parameter Store list command. |
|
cli/commands/param/log
Package log provides the SSM Parameter Store log command for viewing parameter version history.
|
Package log provides the SSM Parameter Store log command for viewing parameter version history. |
|
cli/commands/param/set
Package set provides the SSM Parameter Store set command.
|
Package set provides the SSM Parameter Store set command. |
|
cli/commands/param/show
Package show provides the SSM Parameter Store show command.
|
Package show provides the SSM Parameter Store show command. |
|
cli/commands/param/tag
Package tag provides the SSM Parameter Store tag command.
|
Package tag provides the SSM Parameter Store tag command. |
|
cli/commands/param/untag
Package untag provides the SSM Parameter Store untag command.
|
Package untag provides the SSM Parameter Store untag command. |
|
cli/commands/secret/create
Package create provides the Secrets Manager create command.
|
Package create provides the Secrets Manager create command. |
|
cli/commands/secret/delete
Package delete provides the Secrets Manager delete command.
|
Package delete provides the Secrets Manager delete command. |
|
cli/commands/secret/diff
Package diff provides the Secrets Manager diff command for comparing secret versions.
|
Package diff provides the Secrets Manager diff command for comparing secret versions. |
|
cli/commands/secret/list
Package list provides the Secrets Manager list command.
|
Package list provides the Secrets Manager list command. |
|
cli/commands/secret/log
Package log provides the Secrets Manager log command for viewing secret version history.
|
Package log provides the Secrets Manager log command for viewing secret version history. |
|
cli/commands/secret/restore
Package restore provides the Secrets Manager restore command.
|
Package restore provides the Secrets Manager restore command. |
|
cli/commands/secret/show
Package show provides the Secrets Manager show command.
|
Package show provides the Secrets Manager show command. |
|
cli/commands/secret/tag
Package tag provides the Secrets Manager tag command.
|
Package tag provides the Secrets Manager tag command. |
|
cli/commands/secret/untag
Package untag provides the Secrets Manager untag command.
|
Package untag provides the Secrets Manager untag command. |
|
cli/commands/secret/update
Package update provides the Secrets Manager update command.
|
Package update provides the Secrets Manager update command. |
|
cli/commands/stage
Package stage provides the global stage command for managing staged changes.
|
Package stage provides the global stage command for managing staged changes. |
|
cli/commands/stage/apply
Package apply provides the global apply command for applying all staged changes.
|
Package apply provides the global apply command for applying all staged changes. |
|
cli/commands/stage/diff
Package diff provides the global diff command for viewing staged changes.
|
Package diff provides the global diff command for viewing staged changes. |
|
cli/commands/stage/param
Package param provides the param stage subcommand for staging operations.
|
Package param provides the param stage subcommand for staging operations. |
|
cli/commands/stage/reset
Package reset provides the global reset command for unstaging all changes.
|
Package reset provides the global reset command for unstaging all changes. |
|
cli/commands/stage/secret
Package secret provides the secret stage subcommand for staging operations.
|
Package secret provides the secret stage subcommand for staging operations. |
|
cli/commands/stage/status
Package status provides the global status command for viewing all staged changes.
|
Package status provides the global status command for viewing all staged changes. |
|
cli/confirm
Package confirm provides confirmation prompts for destructive operations.
|
Package confirm provides confirmation prompts for destructive operations. |
|
cli/diffargs
Package diffargs provides shared diff command argument parsing logic for SSM Parameter Store and Secrets Manager.
|
Package diffargs provides shared diff command argument parsing logic for SSM Parameter Store and Secrets Manager. |
|
cli/editor
Package editor provides functionality for opening external editors.
|
Package editor provides functionality for opening external editors. |
|
cli/output
Package output handles formatted output for the CLI.
|
Package output handles formatted output for the CLI. |
|
cli/pager
Package pager provides terminal pager functionality for long outputs.
|
Package pager provides terminal pager functionality for long outputs. |
|
cli/terminal
Package terminal provides terminal-related utilities.
|
Package terminal provides terminal-related utilities. |
|
infra
Package infra provides AWS client initialization.
|
Package infra provides AWS client initialization. |
|
jsonutil
Package jsonutil provides JSON formatting utilities.
|
Package jsonutil provides JSON formatting utilities. |
|
maputil
Package maputil provides utilities for working with maps.
|
Package maputil provides utilities for working with maps. |
|
parallel
Package parallel provides utilities for parallel execution of operations.
|
Package parallel provides utilities for parallel execution of operations. |
|
staging
Package staging provides staging functionality for AWS parameter and secret changes.
|
Package staging provides staging functionality for AWS parameter and secret changes. |
|
staging/runner
Package runner provides shared runners and command builders for stage commands.
|
Package runner provides shared runners and command builders for stage commands. |
|
tagging
Package tagging provides unified tag management for SSM Parameter Store and Secrets Manager.
|
Package tagging provides unified tag management for SSM Parameter Store and Secrets Manager. |
|
timeutil
Package timeutil provides timezone-aware time formatting utilities.
|
Package timeutil provides timezone-aware time formatting utilities. |
|
usecase/param
Package param provides use cases for SSM Parameter Store operations.
|
Package param provides use cases for SSM Parameter Store operations. |
|
usecase/secret
Package secret provides use cases for Secrets Manager operations.
|
Package secret provides use cases for Secrets Manager operations. |
|
usecase/staging
Package staging provides use cases for staging operations.
|
Package staging provides use cases for staging operations. |
|
version
Package version provides shared version specification parsing logic for SSM Parameter Store and Secrets Manager version specifiers.
|
Package version provides shared version specification parsing logic for SSM Parameter Store and Secrets Manager version specifiers. |
|
version/internal
Package internal provides shared utilities for version parsing.
|
Package internal provides shared utilities for version parsing. |
|
version/paramversion
Package paramversion provides version resolution for AWS Systems Manager Parameter Store.
|
Package paramversion provides version resolution for AWS Systems Manager Parameter Store. |
|
version/secretversion
Package secretversion provides version resolution for AWS Secrets Manager.
|
Package secretversion provides version resolution for AWS Secrets Manager. |
Click to show internal directories.
Click to hide internal directories.