Skip to content
This repository has been archived by the owner on Mar 2, 2021. It is now read-only.

fishi0x01/saidumlo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits

src/main

src/main

 
 

test

test

 
 

.codeclimate.yml

.codeclimate.yml

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

Repository files navigation

Status

Master branch build status Go Report Card Code Climate Issue Count

SaiDumLo

SaiDumLo aims to be a client site secret management tool primarily designed for local development.

Currently, SaiDumLo only interacts as a wrapper for HashiCorp's vault client. Vault is awesome, but lacks an easy configurable config file to synch your local ops repo with the vault secrets. I always find myself writing and maintaining different Makefile commands for different secrets of different stages (qa/staging/live..). SaiDumLo lets you easily define and manage different secret groups like qa or prod in a single yaml config file. It can also handle dir subtrees through wildcards * and write/read binary data via base64 encoding.

Example .secrets.yml:

---
vaults:
  vaultA:
    default: true
    address: "http://127.0.0.1:8200"
    bin: "my/path/to/vault"
    auth:
      method: "github"
      credential_file: "my/path/to/credentials"

  vaultB:
    address: "https://vault.b.int.company.local:8200"
    bin: "my/path/to/vault"
    auth:
      method: "github"
      credential_file: "my/path/to/credentials"

secrets:
  secretTree:
    lease_ttl: "2h"
    mappings:
    - local: "local/secretTree/*"
      vault: "secret/vaultTree/remote/*"

  binaryData:
    mappings:
    - local: "some/zip/file.zip"
      vault: "secret/file.zip"
      base64: true

  qa:
    lease_ttl: "1h"
    mod: 0600
    mappings:
    - local: "local/path/to/qa-foo"
      vault: "secret/qa/qa-foo"
    - local: "local/path/to/qa-bar"
      vault: "secret/qa/qa-bar"
      mod: 0755

  prod:
    mappings:
    - local: "local/path/to/prod-foo"
      vault: "secret/prod/prod-foo"

SaiDumLo handles reads/writes of your secret groups by using the vault client. Using sdl read qa synchronizes your local qa secrets with the current ones from the default vault (vaultA). sdl -b vaultB write prod writes your local prod secrets to vaultB.

Before reading/writing SaiDumLo authenticates with the vault by using the specified method. In the example .secrets.yml the github method is used, which requires a github auth token from your account. The auth credentials file must contain key/value pairs of the necessary parameters, e.g., for github:

github.credentials.auth:

token=<my-github-token>

For the userpass mechanism it should be:

userpass.credentials.auth:

username=<my-user>
password=<my-password>

Consult the vault auth documentation to see which parameters need to be specified in the credentials file for your auth method.

NOTE: Do not forget to add the auth credential file to your .gitignore!

Build and Test

make verify

Tested with vault 0.7.0 on Ubuntu Trusty.

About

🔒 A client site secret management tool primarily designed for ops repos.

Topics

encryption vault secret ops-tools

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases 5

0.3.0 Latest
Oct 1, 2017
+ 4 releases

Packages

No packages published

Languages