GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jicowan → secret-sidecar

jicowan / secret-sidecar

Licence: other
A Kubernetes init container that retrieves a secret from AWS Secrets Manager

Programming Languages

go
31211 projects - #10 most used programming language
Starlark
911 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

kubernetesawssecretssidecarekssecrets-manager

Projects that are alternatives of or similar to secret-sidecar

envy
Use envy to manage environment variables with your OS keychain
Stars: ✭ 23 (-4.17%)
Mutual labels:  secrets, secrets-manager
vault-sidecar-injector
Kubernetes admission webhook for secure, seamless and dynamic handling of secrets in your applications
Stars: ✭ 55 (+129.17%)
Mutual labels:  secrets, sidecar
Passcat
Passwords Recovery Tool
Stars: ✭ 164 (+583.33%)
Mutual labels:  secrets
SecureStore
A .NET implementation of the cross-platform SecureStore (symmetrically-encrypted secrets) protocol
Stars: ✭ 62 (+158.33%)
Mutual labels:  secrets
Privy
An easy, fast lib to correctly password-protect your data
Stars: ✭ 230 (+858.33%)
Mutual labels:  secrets
Reloader
Reloader is maintained by Stakater. Like it? Please let us know at [email protected]
Stars: ✭ 2,930 (+12108.33%)
Mutual labels:  secrets
Vault Secrets Gen
A Vault secrets plugin for generating high entropy passwords and passphrases.
Stars: ✭ 238 (+891.67%)
Mutual labels:  secrets
Shhh
Share sensitive info without leaving a trace in your chat logs or email accounts.
Stars: ✭ 159 (+562.5%)
Mutual labels:  secrets
terraform-aws-eks-workers
Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers
Stars: ✭ 82 (+241.67%)
Mutual labels:  eks
Keywhiz
A system for distributing and managing secrets
Stars: ✭ 2,452 (+10116.67%)
Mutual labels:  secrets
terraform-aws-eks-fargate-cluster
Source code of my AWS EKS with fargate cluster setup
Stars: ✭ 26 (+8.33%)
Mutual labels:  eks
Whispers
Identify hardcoded secrets and dangerous behaviours
Stars: ✭ 66 (+175%)
Mutual labels:  secrets
Yar
Yar is a tool for plunderin' organizations, users and/or repositories.
Stars: ✭ 174 (+625%)
Mutual labels:  secrets
Git-Secret
Go scripts for finding sensitive data like API key / some keywords in the github repository
Stars: ✭ 156 (+550%)
Mutual labels:  secrets
Helm Secrets
Successor of zendesk/helm-secrets - A helm plugin that help manage secrets with Git workflow and store them anywhere
Stars: ✭ 165 (+587.5%)
Mutual labels:  secrets
youtube-10k-pods
10,000 Kubernetes Pods for 10,000 Subscribers
Stars: ✭ 73 (+204.17%)
Mutual labels:  eks
Serverless Secrets
An opinionated tool for safely managing and deploying Serverless projects and their secrets.
Stars: ✭ 162 (+575%)
Mutual labels:  secrets
Hashicorp Vault Plugin
Jenkins plugin to populate environment variables from secrets stored in HashiCorp's Vault.
Stars: ✭ 191 (+695.83%)
Mutual labels:  secrets
Kubernetes Secret Manager
Manage secrets with Vault inside a Kubernetes cluster
Stars: ✭ 231 (+862.5%)
Mutual labels:  secrets
terraform-aws-ssm-parameter-store
Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.
Stars: ✭ 87 (+262.5%)
Mutual labels:  secrets
View All Similar Projects ➔

secret-sidecar

The secret-side car project is an example of how you can retrieve a secret from AWS Secrets Manager using an init container and mount it as a RAM disk that is shared with an application container. The init container is written in Go and uses IAM Roles for Service Accounts (IRSA) to assume an identity that has permission to read the secret.

Using the init container

The init container looks for 2 environment variables: AWS_REGION and SECRET_NAME. The values of these variables should be included in your pod manifest. The AWS_REGION designates the region where the secret is stored and the SECRET_NAME refers to the name of the secret in AWS Secrets Manager. For an example, see hello.deployment.yaml.

The serviceAccountName references the Kubernetes service account that allows the init container to assume a IAM role that allows it to read secrets from AWS Secrets Manager. When running in production, this service account and IAM role should be scoped to read a specific secret or set of secrets.

ECS

This sidecar pattern also works with ECS using Enhanced Container Dependencies. Instead of a RAM disk, the secret is mounted as a Docker volume on the local host. See using data volumes for additional information. An sample task definition is included in the ecs-task-def directory.

TODO

Create a mutating webhook that automatically adds the init container to a pod when a specific annotation is added to the pod.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].