exec-with-secrets supports the following services as secrets providers:
- AWS Key Management (KMS)
- AWS Systems Manager Parameter Store (SSM)
- AWS Secrets Manager
- Azure Key Vault
This utility looks for prefixed variables in environment and replaces them with secret values:
{aws-kms}AQICAHjA3mwbmf...- decrypts the value using AWS KMS{aws-ssm}/app/param- loads parameter/app/paramfrom AWS Systems Manager Parameter Store{aws-sm}/app/param- loads secret/app/paramfrom AWS Secrets Manager{aws-sm}/app/param[prop1]- loads secret/app/paramfrom AWS Secrets Manager and takesprop1property{az-kv}vault/name- loads secretnamefrom Azure Key Vaultvault
After decrypting secrets it runs exec system call, replacing itself with your app.
The app can simply access decrypted secrets in the environment.
Basic example:
SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment
Build the example Docker image:
make docker
Run:
docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM
You need to put a real KMS-encrypted value and pass AWS credentials to the container.
KMS_PARAMwill be decrypted and passed toechoas an environment variablePARAMwill be passed without modifications
You can adapt Dockerfile for your use-case. Use exec-with-secrets just like the regular exec. For example, run a Java application with:
CMD exec-with-secrets java -jar myapp.jar
Note that the decrypted secrets are only visible to your application. docker inspect will show encrypted values
Your container should have appropriate permissions to the secrets provider.
- The default AWS credentials chain is used
- Azure authorizer from environment variables/MSI
- Azure authorizer from configuration file, if the file is set using
AZURE_AUTH_LOCATIONvariable
make builds Linux and Mac binaries with all providers.
To chose providers (for example only AWS SSM), run:
make TAGS=awsssm
See example PR: #1