Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault
exec-with-secrets
supports the following services as secrets providers:
This utility looks for prefixed variables in environment and replaces them with secret values:
{aws-kms}AQICAHjA3mwbmf...
- decrypts the value using AWS KMS{aws-ssm}/app/param
- loads parameter /app/param
from AWS Systems Manager Parameter Store{aws-sm}/app/param
- loads secret /app/param
from AWS Secrets Manager{aws-sm}/app/param[prop1]
- loads secret /app/param
from AWS Secrets Manager and takes prop1
property{az-kv}vault/name
- loads secret name
from Azure Key Vault vault
After decrypting secrets it runs exec
system call, replacing itself with your app.
The app can simply access decrypted secrets in the environment.
Basic example:
SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment
Build the example Docker image:
make docker
Run:
docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM
You need to put a real KMS-encrypted value and pass AWS credentials to the container.
KMS_PARAM
will be decrypted and passed to echo
as an environment variablePARAM
will be passed without modificationsYou can adapt Dockerfile for your use-case. Use exec-with-secrets
just like the regular exec
. For example, run a Java application with:
CMD exec-with-secrets java -jar myapp.jar
Note that the decrypted secrets are only visible to your application. docker inspect
will show encrypted values
Your container should have appropriate permissions to the secrets provider.
AZURE_AUTH_LOCATION
variablemake
builds Linux and Mac binaries with all providers.
To chose providers (for example only AWS SSM), run:
make TAGS=awsssm
See example PR: https://github.com/s12v/exec-with-secrets/pull/1