exec-with-secrets
supports the following services as secrets providers:
- AWS Key Management (KMS)
- AWS Systems Manager Parameter Store (SSM)
- AWS Secrets Manager
- Azure Key Vault
This utility looks for prefixed variables in environment and replaces them with secret values:
{aws-kms}AQICAHjA3mwbmf...
- decrypts the value using AWS KMS{aws-ssm}/app/param
- loads parameter/app/param
from AWS Systems Manager Parameter Store{aws-sm}/app/param
- loads secret/app/param
from AWS Secrets Manager{aws-sm}/app/param{prop1}
- loads secret/app/param
from AWS Secrets Manager and takesprop1
property{az-kv}vault/name
- loads secretname
from Azure Key Vaultvault
After decrypting secrets it runs [exec
](https://en.wikipedia.org/wiki/Exec_(system_call) system call, replacing itself with your app.
The app can simply access decrypted secrets in the environment.
Basic example:
SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment
Build the example Docker image:
make docker
Run:
docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM
You need to put a real KMS-encrypted value and pass AWS credentials to the container.
KMS_PARAM
will be decrypted and passed toecho
as an environment variablePARAM
will be passed without modifications
You can adapt Dockerfile for your use-case. Use exec-with-secrets
just like the regular exec
. For example, run a Java application with:
CMD exec-with-secrets java -jar myapp.jar
Note that the decrypted secrets are only visible to your application. docker inspect
will show encrypted values
Your container should have appropriate permissions to the secrets provider.
- The default AWS credentials chain is used
- Azure authorizer from environment variables/MSI
- Azure authorizer from configuration file, if the file is set using
AZURE_AUTH_LOCATION
variable
make
builds Linux and Mac binaries with all providers.
To chose providers (for example only AWS SSM), run:
make TAGS=awsssm
See example PR: s12v#1