Skip to content

Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault

License

Notifications You must be signed in to change notification settings

s12v/exec-with-secrets

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build Status codecov

Inject secrets from AWS KMS/SSM/Secrets Manager and Azure Key Vault into your app environment

exec-with-secrets supports the following services as secrets providers:

This utility looks for prefixed variables in environment and replaces them with secret values:

  • {aws-kms}AQICAHjA3mwbmf... - decrypts the value using AWS KMS
  • {aws-ssm}/app/param - loads parameter /app/param from AWS Systems Manager Parameter Store
  • {aws-sm}/app/param - loads secret /app/param from AWS Secrets Manager
  • {aws-sm}/app/param[prop1] - loads secret /app/param from AWS Secrets Manager and takes prop1 property
  • {az-kv}vault/name - loads secret name from Azure Key Vault vault

After decrypting secrets it runs exec system call, replacing itself with your app. The app can simply access decrypted secrets in the environment.

Basic example:

SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment

Docker example

Build the example Docker image:

make docker

Run:

docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM

You need to put a real KMS-encrypted value and pass AWS credentials to the container.

  • KMS_PARAM will be decrypted and passed to echo as an environment variable
  • PARAM will be passed without modifications

You can adapt Dockerfile for your use-case. Use exec-with-secrets just like the regular exec. For example, run a Java application with:

CMD exec-with-secrets java -jar myapp.jar

Note that the decrypted secrets are only visible to your application. docker inspect will show encrypted values

Secret provider access

Your container should have appropriate permissions to the secrets provider.

  • The default AWS credentials chain is used
  • Azure authorizer from environment variables/MSI
  • Azure authorizer from configuration file, if the file is set using AZURE_AUTH_LOCATION variable

Build

make builds Linux and Mac binaries with all providers.

Choose providers

To chose providers (for example only AWS SSM), run:

make TAGS=awsssm

Adding a new provider

See example PR: #1