Simple cli tool to run arbitrary code using environmental variables retrieved as a json object from Azure keyvault, Google Secrets Manager, Doppler Secrets Manager, or AWS Secrets Manager.
Concept based on Jakub Fijałkowski's KVENV.
Usage: envy --secret-name <name> <options>
ENVy
Simple cli tool to run arbitrary code using environmental variables
retrieved as a json object from Azure keyvault.
Created by: Lee Martin (https://github.com/Aechrok)
Options:
-n, --secret-name <string> Name of the secret to be queried.
[env: SECRET_NAME] [required]
-m, --mask <string> Environment variable that should be masked.
-v, --verbose Increase the verbosity of log messages.
-c, --command <string> Command to run within the secrets environment.
--azure Use Azure Keyvault.
--azure-tenant-id <string> The tenant id of the service principal used for authorization.
[env: AZURE_TENANT_ID]
--azure-client-id <string> The application id of the service principal used for authorization.
[env: AZURE_CLIENT_ID]
--azure-client-secret <string> The secret of the service principal used for authorization.
[env: AZURE_CLIENT_SECRET]
--azure-keyvault-name <string> The name of Azure KeyVault (in the public cloud) where the secret lives.
[env: AZURE_KEYVAULT_NAME]
--aws Use AWS Secrets Manager Service.
--aws-access-key-id <string> The AWS access key ID.
[env: AWS_ACCESS_KEY_ID]
--aws-secret-access-key <string> The AWS secret access key.
[env: AWS_SECRET_ACCESS_KEY]
--aws-region <string> The AWS region your secret is located in.
[env: AWS_REGION]
--google Use Google Cloud Secret Manager Service.
--google-application-credentials <string> The path to the credentials json file.
[env: GOOGLE_APPLICATION_CREDENTIALS]
--google-project-id <string> Google Cloud project ID (e.g. "my-project").
[env: GOOGLE_PROJECT_ID]
--google-version-id <string> Cloud KMS secret version (e.g. "1").
[env: GOOGLE_VERSION_ID]
--doppler Use Doppler Secret Manager Service.
--doppler-project <string> Doppler project where the secret lives.
[env: DOPPLER_PROJECT]
--doppler-config <string> Doppler config for the specific environment.
[env: DOPPLER_CONFIG]
--doppler-token <string> Doppler service token.
[env: DOPPLER_TOKEN]
-h, --help Show this message and exit.
- Azure Key Vault
- Google Cloud Secrets Manager
- AWS Secrets Manager
- Doppler Secrets Manager
- Variable masking
- Integration tests
- JSON-based keys
A service principal with read-only access to the Key Vault to retrieve the environment secret will be required. Presently, ENVy does not support managed identites, so a client/secret is required. This can be achieved using app registrations.
More information can be found here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Environments are stored as a single JSON object within a keyvault secret. ENVy will specifically only grab the current version of the key.
{
"SECRET_ONE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_TWO":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_THREE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}You must have an IAM user with permissions on AWS Secrets Manager.
Your secret should be created here. You can either use the key/value pair or drop json into the plaintext for the same effect. More information can be found here: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html and https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
Environments are stored as a single JSON object within a AWS Secrets Manager secret.
{
"SECRET_ONE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_TWO":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_THREE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}A service account is required with permissions to access Google Cloud Secrets Manager and it's secrets. This account will generate the credentials JSON file.
More information can be found here: https://cloud.google.com/iam/docs/creating-managing-service-account-keys
A google JSON file is required and must be located in the same folder or a child folder. Parent folders will fail to locate the key.
Google Secrets are versioned so you will need to know the version of the key that you are looking for. ENVy will default to version 1 if none is provided.
Environments are stored as a single JSON object within a Google Secrets Manager secret. ENVy will grab the first version of the key unless otherwise specified using the flag --google-version-id.
{
"SECRET_ONE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_TWO":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_THREE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}Ensure that a project has been set up and secrets are stored in whichever config you choose. (Prod, Dev, etc). You will need to create a service token on theproject at access > Service Tokens > Generate. This is the --doppler-token.
More information can be found here: https://docs.doppler.com/docs/service-tokens
Environmental secrets used with this tool should be stored as a single JSON object within a doppler project's config.
{
"SECRET_ONE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_TWO":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"SECRET_THREE":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}However you choose to do it, all options for a particular service are required to run ENVy. These are prefixed with the service name: (i.e. --aws, --aws-access-key-id, --aws-secret-access-key, and --aws-region). These can be injected as a Kubernetes secret, or otherwise pushed into the environment that is running ENVy using options found in the help ./envy -h.
If you are using tools such as Atlantis where the repository name is provided as a variable at runtime, it is preferable to name the secret the same as the repository so that you can run workflows such as:
envy -n $BASE_REPO_NAME -c 'terraform init'This allows for multi-tenant use without exposing the credentials for the primary accounts with access.
Typically, there are no messages for successful actions. In the event that you require more information, specifically to figure out where a failure may be occurring, adding a -v or --verbose switch will display messages at each stage.
#> envy ... --verbose -c '...'
Environmental variables found...
Processing credentials...
Credentials found, setting environment...
Processing commands...Masking is supported to hide a variable from the child command. Adding a -m or --mask switch with the matching variable name will achieve this. Multiple masking variables are permitted.
#> envy ... --mask VARIABLE -c 'echo $VARIABLE'
XXXXXX_MASKED_XXXXXXHelp is provided along with the tool:
envy -h
If you experience bugs or issues, you can create an issue here: https://github.com/Aechrok/envy/issues