Piggy Bank is a secrets storage tool for applications that works with NATS. Secrets are stored encrypted in a JetStream KV and can be retrieved as long as the requestor has access to the subject.
Caution
A decryption key is returned from the initialization phase. If this key is lost, all of the data is unrecoverable.
Be sure to add the KV bucket to NATS: nats kv add piggybank
- Start piggybank
piggybank service start - Initialize the database
piggybank client database initialize - Unlock the database with key sent from step 1
piggybank client database unlock --key foo - Add a secret for an application
piggybank client secret add --id foo --value bar - Retrieve a secret
piggybank client secret get --id foo - Lock the database
piggybank client database lock - Try to retrieve the secret again
piggybank client secret get --id foo
Permissions are defined as normal NATS subject permissions. If you have access to a subject, then you can retrieve the secrets. This means the permissions can be as granular as desired.
Important
Please ensure to set proper permissions for inbox responses. It is recommended to not use the default _INBOX prefix for responses and to set custom inbox prefixes. This prevents apps from listening to secrets sent on other apps inboxes.
To send requests to Piggybank you can either send NATS requests directly or use the helper client. Here's an example assuming the key for the secret is myapp.somesecret:
nc, _ := nats.Connect(someURL)
client := service.Client{
Conn: nc,
}
msg, _ := client.Get("myapp.somesecret")
fmt.Println(msg)
Piggybank supports multiple auth methods for NATS.
- Your current NATS context
- A path to a credentials file
- Env vars for the JWT and SEED