Exec With Secrets Save

Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault

Project README

Inject secrets from AWS KMS/SSM/Secrets Manager and Azure Key Vault into your app environment

exec-with-secrets supports the following services as secrets providers:

This utility looks for prefixed variables in environment and replaces them with secret values:

{aws-kms}AQICAHjA3mwbmf... - decrypts the value using AWS KMS
{aws-ssm}/app/param - loads parameter /app/param from AWS Systems Manager Parameter Store
{aws-sm}/app/param - loads secret /app/param from AWS Secrets Manager
{aws-sm}/app/param[prop1] - loads secret /app/param from AWS Secrets Manager and takes prop1 property
{az-kv}vault/name - loads secret name from Azure Key Vault vault

After decrypting secrets it runs exec system call, replacing itself with your app. The app can simply access decrypted secrets in the environment.

Basic example:

SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment

Docker example

Build the example Docker image:

make docker

Run:

docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM

You need to put a real KMS-encrypted value and pass AWS credentials to the container.

KMS_PARAM will be decrypted and passed to echo as an environment variable
PARAM will be passed without modifications

You can adapt Dockerfile for your use-case. Use exec-with-secrets just like the regular exec. For example, run a Java application with:

CMD exec-with-secrets java -jar myapp.jar

Note that the decrypted secrets are only visible to your application. docker inspect will show encrypted values

Secret provider access

Your container should have appropriate permissions to the secrets provider.

The default AWS credentials chain is used
Azure authorizer from environment variables/MSI
Azure authorizer from configuration file, if the file is set using AZURE_AUTH_LOCATION variable

Build

make builds Linux and Mac binaries with all providers.

Choose providers

To chose providers (for example only AWS SSM), run:

make TAGS=awsssm

Adding a new provider

See example PR: https://github.com/s12v/exec-with-secrets/pull/1

Open Source Agenda is not affiliated with "Exec With Secrets" Project. README Source: s12v/exec-with-secrets

Stars

Open Issues

Last Commit

1 year ago

Repository

s12v/exec-with-secrets

License

MIT

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/exec-with-secrets"><img src="https://www.opensourceagenda.com/projects/exec-with-secrets/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022