A simple CLI tool to run a process with secrets from AWS Secrets Manager or AWS Parameter Store
forked from pratishshr/envault
Envctl focuses on integrating AWS Secrets Manager in your application with ease without having to write a single line of code in your source files. Simply run your commands with the envctl CLI and the secrets will be injected in that process.
- Install envctl
- Verify Installation
- AWS Credentials
- Setup
- List Secrets
- Update Secrets
- Run With Secrets
- Usage with CI/CD
- Using custom .env files
curl -fsSL https://raw.githubusercontent.com/leonardobiffi/envctl/master/scripts/install.sh | sh
Note:
If your architecture is not supported, clone this repo and run go build
to generate a binary.
Then, simply place the binary in your local bin
.
envctl
Before using envctl, you have to provide your AWS credentials. This allows envctl to fetch secrets from the AWS Secrets Manager. Also, make sure you have the correct access for your credentials.
Simply create ~/.aws/credentials
file for storing AWS credentials.
Example:
[example-profile]
aws_access_key_id = xxxxxx
aws_secret_access_key = xxxxxx
To know more about AWS configurations, view Configuring the AWS CLI
Go to your project directory and run setup
command to initiate the setup process.
envctl setup
- Choose your AWS profile that was setup earlier.
- Choose the AWS Region where your secrets are kept.
- You can also add a deployment environment associated with the secret name. You may add any number of environment you want.
- Set a default env
Example:
AWS profile: default
Region: US West (Oregon)
Add an environment (eg. dev): dev
Secret Name: api/dev
Add an environment (eg. dev): uat
Secret Name: api/uat
envctl.json
file will be created in your project directory like below.
{
"profile": "default",
"region": "us-west-2",
"environments": {
"dev": "api/dev",
"uat": "api/uat"
},
"defaultEnv": "dev"
}
If you do not want a project-specific config file, you can skip the above step.
envctl list -e dev
envctl list -e uat
Here dev
and uat
are the environments you specified in envctl.json
.
If you have not setup a envctl.json
file, you can still pass --secret
or -s
flag with the secrets path.
This will use the default
profile from your ~/.aws/credentials
file.
envctl list --secret=api/dev
envctl list --secret=api/uat
You also can list environments from AWS Parameter Store
envctl list --parameter=api/dev
envctl list --parameter=api/uat
This will update secrets with content in .env file
envctl update --secret=/dev/service/app --envfile .env
Or update secret on Parameter Store
envctl update --parameter=/dev/service/app --envfile .env
envctl run 'yarn build' -e dev
This will inject the secrets from dev
to the yarn build
process.
Similarly, if you have not setup a envctl.json
file, you can still pass --secret
or -s
flag with the secrets path.
This will use the default
profile from your ~/.aws/credentials
file.
envctl run 'yarn build' --secret=api/dev
Instead of setting up a ~/.aws/credentials
file. You can also use the following environment variables to set up your AWS credentials.
Variable | Description |
---|---|
AWS_ACCESS_KEY_ID | Your AWS access key |
AWS_SECRET_ACCESS_KEY | Your AWS secret key |
AWS_REGION | AWS region where you added your secret |
ENVIRONMENT | Environment which you set in envctl.json |
SECRET_NAME | AWS Secret Name |
PARAMETER_NAME | AWS Parameter Store Path |
If you want to inject environment keys from a file instead of using AWS Secrets Manager. You can use the-ef
flag.
envctl run 'envctl run 'go run main.go' -ef env/staging.env
This project is licensed under the MIT License - see the LICENSE file for details