GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → s12v → exec-with-secrets

s12v / exec-with-secrets

Licence: MIT license
Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects

Labels

dockerkmsssmazure-key-vaultsecrets-manager

Projects that are alternatives of or similar to exec-with-secrets

terraform-aws-ssm-parameter-store
Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.
Stars: ✭ 87 (+61.11%)
Mutual labels:  kms, ssm
bicycleSharingServer
🚲共享单车JavaWEB后台(ssm)
Stars: ✭ 86 (+59.26%)
Mutual labels:  ssm
laravel-env-security
Securely manage Laravel .env files for different deployment environments
Stars: ✭ 67 (+24.07%)
Mutual labels:  kms
AspNetCore.DataProtection.Aws
AWS S3 & KMS integration for ASP.NET Core data protection
Stars: ✭ 62 (+14.81%)
Mutual labels:  kms
vlmcsd
vlmcsd backup
Stars: ✭ 156 (+188.89%)
Mutual labels:  kms
Microsoft Activation Scripts
A collection of scripts for activating Microsoft products using HWID / KMS38 / Online KMS activation methods with a focus on open-source code, less antivirus detection and user-friendliness.
Stars: ✭ 9,286 (+17096.3%)
Mutual labels:  kms
k8s-cloudkms-plugin
K8S KMS Plugin for Google CloudKMS
Stars: ✭ 48 (-11.11%)
Mutual labels:  kms
sops-operator
A Kubernetes operator for Mozilla SOPS
Stars: ✭ 23 (-57.41%)
Mutual labels:  kms
cloud-note
无道云笔记,原生JSP的仿有道云笔记项目
Stars: ✭ 66 (+22.22%)
Mutual labels:  ssm
signatory
Signatory - A Tezos Remote Signer for signing block-chain operations with private keys using YubiHSM and Azure Key Vault
Stars: ✭ 35 (-35.19%)
Mutual labels:  kms
xilution-selenium-grid
A Selenium Grid that Runs in AWS ECS Fargate.
Stars: ✭ 22 (-59.26%)
Mutual labels:  kms
kms-env
A tool to encrypt and decrypt environment variables using KMS
Stars: ✭ 16 (-70.37%)
Mutual labels:  kms
Kms vl all
🔑KMS_VL_ALL - Smart Activation Script
Stars: ✭ 2,066 (+3725.93%)
Mutual labels:  kms
asherah
Asherah is a multi-language, cross-platform application encryption SDK
Stars: ✭ 46 (-14.81%)
Mutual labels:  kms
kmstool
Tool for using AWS Kms data keys to encrypt and decrypt large files.
Stars: ✭ 33 (-38.89%)
Mutual labels:  kms
lastkeypair
A serverless SSH certificate authority to control access to machines using IAM and Lambda
Stars: ✭ 39 (-27.78%)
Mutual labels:  kms
citadel
Turn an arbitrary command into a Kubernetes Key Management Service GRPC server
Stars: ✭ 15 (-72.22%)
Mutual labels:  kms
Across
Across the Great Wall we can reach every corner in the world
Stars: ✭ 3,654 (+6666.67%)
Mutual labels:  kms
go-kmip
KMIP protocol implementation in Go
Stars: ✭ 21 (-61.11%)
Mutual labels:  kms
EMAN
一个基于SSM框架与物品的协同过滤算法(ItemCF)的简单电子书推荐系统
Stars: ✭ 48 (-11.11%)
Mutual labels:  ssm
View All Similar Projects ➔

Build Status codecov

Inject secrets from AWS KMS/SSM/Secrets Manager and Azure Key Vault into your app environment

exec-with-secrets supports the following services as secrets providers:

This utility looks for prefixed variables in environment and replaces them with secret values:

  • {aws-kms}AQICAHjA3mwbmf... - decrypts the value using AWS KMS
  • {aws-ssm}/app/param - loads parameter /app/param from AWS Systems Manager Parameter Store
  • {aws-sm}/app/param - loads secret /app/param from AWS Secrets Manager
  • {aws-sm}/app/param[prop1] - loads secret /app/param from AWS Secrets Manager and takes prop1 property
  • {az-kv}vault/name - loads secret name from Azure Key Vault vault

After decrypting secrets it runs exec system call, replacing itself with your app. The app can simply access decrypted secrets in the environment.

Basic example:

SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment

Docker example

Build the example Docker image:

make docker

Run:

docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM

You need to put a real KMS-encrypted value and pass AWS credentials to the container.

  • KMS_PARAM will be decrypted and passed to echo as an environment variable
  • PARAM will be passed without modifications

You can adapt Dockerfile for your use-case. Use exec-with-secrets just like the regular exec. For example, run a Java application with:

CMD exec-with-secrets java -jar myapp.jar

Note that the decrypted secrets are only visible to your application. docker inspect will show encrypted values

Secret provider access

Your container should have appropriate permissions to the secrets provider.

  • The default AWS credentials chain is used
  • Azure authorizer from environment variables/MSI
  • Azure authorizer from configuration file, if the file is set using AZURE_AUTH_LOCATION variable

Build

make builds Linux and Mac binaries with all providers.

Choose providers

To chose providers (for example only AWS SSM), run:

make TAGS=awsssm

Adding a new provider

See example PR: #1

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].