Skip to content

garyellis/secrets-ctl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

pkg

pkg

 
 

vendor

vendor

 
 

.travis.yml

.travis.yml

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

secrets-ctl Build Status

Secrets file storage utility for IAC pipelines.

Features

  • vault transit secret engine encryption/decryption
  • decrypt/encrypt secrets to yaml configuration files
  • write secret yaml configuration files to vault kv
  • export vault kv secrets to secret yaml configuration files

Use Cases

  • secrets storage in git
  • cd pipeline for vault kv secrets (solves how do we maintain a pipeline that write secrets into to vault)
  • backup vault kv secrets engine secrets to yaml

Usage

write a file and encrypt it

$ cat > secret.yaml <<EOF
secretconfig:
  encryption:
    transit_mount: /transit
    transit_key: demo-key
  secrets:
    - vault_kv_path: secret/data/secret1
      data:
        foo1: '{ "foo": "abcd", "bar": "efgh" }'
        foo2: "abcd"
    - vault_kv_path: secret/data/secret2
      data:
        APIKEY: "pretendkey"
EOF


$ export VAULT_ADDR=<my-vault-server>
$ export VAULT_TOKEN=<set-as-needed>


$ secrets-ctl encrypt --path . --filter secret.yaml --backup=false


$ cat secret.yaml
secretconfig:
  encryption:
    transit_mount: /transit
    transit_key: demo-key
  secrets:
  - vault_kv_path: secret/data/example/secret1
    data:
      foo1: vault:v1:HGhX1kSZswsvfDON4ZIWHcZJYEBwDkng7wb//pBliIka6VEY1+jKOmIP8B/DLHiCNNZMVmacJuRcghWr
      foo2: vault:v1:bTPRokegzYryLsoNO1NSO3eA+qUVzAE5lcSGOk3kelI=
  - vault_kv_path: secret/data/example/secret2
    data:
      APIKEY: vault:v1:1kXDbR4WAobetY1GHlIPDb4pHaZYp5iwI6jxKDhHktKr6DtTKv4=

decrypt the file

$ secrets-ctl decrypt --path . --filter secret.yaml --backup=false


$ cat secret.yaml
secretconfig:
  encryption:
    transit_mount: /transit
    transit_key: demo-key
  secrets:
  - vault_kv_path: secret/data/example/secret1
    data:
      foo1: '{ "foo": "abcd", "bar": "efgh" }'
      foo2: abcd
  - vault_kv_path: secret/data/example/secret2
    data:
      APIKEY: pretendkey

encrypt a file and write it to to vault kv store

$ secrets-ctl encrypt --path . --filter secret.yaml --backup=false


$ secrets-ctl vault-kv write --path . --filter secret.yaml

read the secrets with the vault kv command.

$ vault kv get /secret/example/secret1
====== Metadata ======
Key              Value
---              -----
created_time     2020-06-12T04:30:42.200527167Z
deletion_time    n/a
destroyed        false
version          2

==== Data ====
Key     Value
---     -----
foo1    { "foo": "abcd", "bar": "efgh" }
foo2    abcd


$ vault kv get /secret/example/secret2
====== Metadata ======
Key              Value
---              -----
created_time     2020-06-12T04:30:42.350926653Z
deletion_time    n/a
destroyed        false
version          2

===== Data =====
Key       Value
---       -----
APIKEY    pretendkey

About

secrets helper utility

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 5

v0.2.4 Latest
Jun 15, 2020
+ 4 releases

Packages

No packages published

Languages