10000 GitHub - kkentzo/sec2env: Extract secrets from AWS Secrets Manager or Azure Vault for use in the environment πŸ”‘πŸ”‘πŸ”‘
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ sec2env Public

Extract secrets from AWS Secrets Manager or Azure Vault for use in the environment πŸ”‘πŸ”‘πŸ”‘

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kkentzo/sec2env

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

10 Commits
.github/workflows
.github/workflows
Β 
Β 
cmd
cmd
Β 
Β 
.gitignore
.gitignore
Β 
Β 
.goreleaser.yml
.goreleaser.yml
Β 
Β 
Orkfile.yml
Orkfile.yml
Β 
Β 
README.md
README.md
Β 
Β 
go.mod
go.mod
Β 
Β 
go.sum
go.sum
Β 
Β 
main.go
main.go
Β 
Β 

Repository files navigation

sec2env

sec2env is a very simple program that retrieves a secret from AWS secrets manager or Azure Key Vault, parses the secret value as a json and prints all contained key, value pairs to standard output.

The purpose is to eval the resulting string in a shell and export all key, value pairs to the process environment.

Is this safe/secure? Depends on how much one can trust one's own secrets :)

Build

A working go installation is necessary to build the program. An Orkfile is also provided (the ork program is needed to run the referenced tasks.

Example (AWS)

Let's assume that we have stored a secret in aws region eu-central-1 with the name foo and we have stored the following key, value pairs in the secret: key alpha has value 1 and key beta has value 2.

Running sec2env aws --name foo --region eu-central-1 will output the following text:

export alpha=1
export beta=2

If we wish to export these variables into the current environment, we need to do eval $(sec2env aws --name foo --region eu-central-1) in the shell.

In case of an error, the program will return an exit value of 1 and fail silently so as not to break downstream output processing).

Access to AWS Secrets Manager

The program uses the standard AWS guidelines in order to authenticate with AWS secrets manager.

For production, the best practice is to define an IAM role for the underlying resource (e.g. ec2 instance).

Given an ec2 instance and a secret with name foo in region eu-central-1 and account 111111111111, the following example defines an IAM role with the secret access policy in yaml form. The role then needs to be attached to the ec2 instance.

AWSTemplateFormatVersion: '2010-09-09'

Description: >-
  An example of defining an IAM rolw with a secret access policy

Resources:
  SecretsAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "secret-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Action:
              - secretsmanager:GetSecretValue
            Resource:
              - "arn:aws:secretsmanager:eu-central-1:111111111111:secret:foo"
      Roles:
        - !Ref ServerRole

  ServerRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "server-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
            Action:
              - "sts:AssumeRole"

About

Extract secrets from AWS Secrets Manager or Azure Vault for use in the environment πŸ”‘πŸ”‘πŸ”‘

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 4

v1.1 Latest
Sep 27, 2024
+ 3 releases

Languages
0