-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #26 from masinger/develop
Release v0.0.1
- Loading branch information
Showing
24 changed files
with
689 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# To get started with Dependabot version updates, you'll need to specify which | ||
# package ecosystems to update and where the package manifests are located. | ||
# Please see the documentation for all configuration options: | ||
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates | ||
|
||
version: 2 | ||
updates: | ||
- package-ecosystem: "gomod" | ||
directory: "/" | ||
schedule: | ||
interval: "daily" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
name: Release | ||
|
||
on: | ||
push: | ||
tags: [ "v*" ] | ||
|
||
jobs: | ||
build: | ||
|
||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Set up Go | ||
uses: actions/setup-go@v3 | ||
with: | ||
go-version: 1.20.0 | ||
|
||
- name: Build | ||
run: make build | ||
|
||
- name: Create release | ||
uses: actions/create-release@v1 | ||
id: create_release | ||
with: | ||
draft: false | ||
prerelease: false | ||
release_name: ${{ github.ref_name }} | ||
tag_name: ${{ github.ref }} | ||
body: | | ||
Refer to this version's entry within the [CHANGELOG.md](CHANGELOG.md) for further release information. | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
|
||
- name: Upload Linux x64 artifact | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
with: | ||
upload_url: ${{ steps.create_release.outputs.upload_url }} | ||
asset_path: ./bin/incredible-linux-amd64 | ||
asset_name: incredible-linux-amd64 | ||
asset_content_type: application/x-elf | ||
|
||
- name: Upload Linux arm64 artifact | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
with: | ||
upload_url: ${{ steps.create_release.outputs.upload_url }} | ||
asset_path: ./bin/incredible-linux-arm64 | ||
asset_name: incredible-linux-arm64 | ||
asset_content_type: application/x-elf | ||
|
||
- name: Upload Windows x64 artifact | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
with: | ||
upload_url: ${{ steps.create_release.outputs.upload_url }} | ||
asset_path: ./bin/incredible-windows-amd64.exe | ||
asset_name: incredible-windows-amd64.exe | ||
asset_content_type: application/x-msdownload | ||
|
||
- name: Upload MacOS amd64 artifact | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
with: | ||
upload_url: ${{ steps.create_release.outputs.upload_url }} | ||
asset_path: ./bin/incredible-darwin-amd64 | ||
asset_name: incredible-darwin-amd64 | ||
asset_content_type: application/octet-stream | ||
|
||
- name: Upload MacOS arm64 artifact | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
with: | ||
upload_url: ${{ steps.create_release.outputs.upload_url }} | ||
asset_path: ./bin/incredible-darwin-arm64 | ||
asset_name: incredible-darwin-arm64 | ||
asset_content_type: application/octet-steam |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,3 +4,6 @@ | |
|
||
# Example | ||
example/ | ||
|
||
# Output | ||
bin/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Changelog | ||
|
||
All notable changes to this project will be documented in this file. | ||
|
||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | ||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). | ||
|
||
## [Unreleased] | ||
|
||
### Added | ||
### Fixed | ||
### Changed | ||
### Removed | ||
|
||
<!-- Unreleased Template | ||
### Added | ||
### Fixed | ||
### Changed | ||
### Removed | ||
---> | ||
|
||
<!-- Version Template | ||
## vMAJOR.MINOR.PATCH | ||
**Date**: YYYY-MM-DD | ||
General description | ||
COPY FROM UNRELEASED | ||
---> | ||
|
||
## v0.0.1 | ||
**Date**: 2023-06-13 | ||
|
||
This is the initial release of `incredible`. | ||
|
||
### Added | ||
1. JSON-Schema describing the mapping file (`incredible.yml`) | ||
2. Initial CLI implementation | ||
3. Support for | ||
1. Bitwarden | ||
2. Azure Key Vault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
# Incredible [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) | ||
Incredible is a CLI tool that loads secrets (passwords, tokens, files) from secure sources and maps them to usable environment variables. | ||
|
||
The goal of this tool is to avoid | ||
- having to add sensitive values into your Bash profile | ||
- permanently storing confidential files on the system | ||
- manually copying secrets from your password manager into your bash | ||
|
||
Just configure your desired environment variables (see ["The solution"](#the-solution)) and run your program with | ||
|
||
```shell | ||
incredible <MY_PROGRAM> | ||
``` | ||
and it will be able to access them. | ||
|
||
## Supported sources | ||
|
||
| Source | Requirements | Value Support | File Support | Help | | ||
|-------------------------------------------------------------------------|-----------------------------------------------------------|---------------|--------------|--------------------------| | ||
| [Bitwarden](https://bitwarden.com) | [Bitwarden Cli](https://bitwarden.com/help/cli/) | ✅ | ✅ | [Help](#bitwarden) | | ||
| [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault) | [Azure Cli](https://learn.microsoft.com/en-us/cli/azure/) | ✅ | ❌ | [Help](#azure-key-vault) | | ||
|
||
|
||
## How does it work? | ||
`incredible` can best be understood as an interfaces to various credential/password/secret managers. | ||
|
||
### The problem | ||
|
||
Without `incredible`, one could easily come up with a script that automatically fetches a value from a password manager and exposes it using an environment variable, which can then be consumed by another tool or script. | ||
|
||
You know - something like this: | ||
````shell | ||
export MY_CLIENT_SECRET=$(generic-password-manager get secret super-secret-oidc-secret) | ||
```` | ||
This scripted solution should do the job just fine. | ||
Starting from that approach, a variety of problems and questions arise when it comes to working with multiple secrets, environments, team members and secret providers. | ||
|
||
For example: | ||
- How can I set multiple secrets, If my environment needs them? | ||
- What if one of them required secrets is a file? | ||
- How do I clean up my environment after the variables and files are no longer needed? | ||
- How can I switch between contexts requiring the same variables set to different values? | ||
|
||
### The solution | ||
`incredible` tries to simplify working with secrets as much as possible by providing a unified configuration file. | ||
This configuration file specifies the required environment variables and where they can be obtained from. | ||
Once a program is started with `incredible <MY_EXEC>`, `incredible` will fetch all required values and cleans them up once your program exits. | ||
|
||
The configuration file (usually named `incredible.yml`) looks like this: | ||
|
||
````yaml | ||
assets: # List of all assets to be loaded | ||
- src: # The src property tells incredible, where the secret's value can be obtained from | ||
azureKeyVaultSecret: {} # set this, when loading from an Azure Key Value | ||
bitwarden: {} # set this, when loading from a Bitwarden vault | ||
mappings: | ||
- env: | ||
name: TARGET_VARIABLE # the name of the environment variable, that should hold the obtained secret | ||
```` | ||
|
||
The JSON schema at https://raw.githubusercontent.com/masinger/incredible/main/schema.json can be used to enable code completion and validation (if supported by your editor). | ||
|
||
See [Sources](#sources) for more information on how to configure the `src` property. | ||
|
||
|
||
### Feature list | ||
- Fetch secret values from various providers (as listed in "[Supported sources](#supported-sources)") | ||
- Fetch files from various providers, storing them in temporary files | ||
- Removal of created temporary files, once incredible exits | ||
- Usage of context specific environment variables (the `incredible.yml` within the current or the first ancestor directory will be used) | ||
|
||
## Sources | ||
|
||
### Bitwarden | ||
|
||
#### Requirements | ||
|
||
- [Bitwarden Cli](https://bitwarden.com/help/cli/) must be installed | ||
|
||
#### General | ||
|
||
The Bitwarden source requires the identifier of the Bitwarden entry to be used. | ||
The id can be obtained using the Bitwarden cli or by clicking on the entry (within the web | ||
vault - https://vault.bitwarden.com) and inspecting the browser URL once the detail dialog opens. | ||
|
||
#### Secret value from password | ||
|
||
The following shows the minimal configuration required in order to read the password stored in entry `123-test-id` and | ||
map it to the environment variable named `MY_SECRET_PW`. | ||
|
||
```yaml | ||
assets: | ||
- src: | ||
bitwarden: | ||
entry: 123-test-id # entry id | ||
field: password # optional, default: "password" | ||
mappings: | ||
- env: | ||
name: MY_SECRET_PW | ||
``` | ||
|
||
#### Secret value from password | ||
|
||
If we set the property `field` to `"username"`, the entry's username will be used instead. | ||
|
||
````yaml | ||
assets: | ||
- src: | ||
bitwarden: | ||
entry: 123-test-id # entry id | ||
field: username | ||
mappings: | ||
- env: | ||
name: MY_SECRET_USER | ||
```` | ||
|
||
#### Secret file from attachment | ||
In order to load a secret file from a Bitwarden entry's attachment, the name of the attachment must be provided using the `attachment` property. | ||
The environment variable `MY_SECRET_FILE_PATH` will then hold the filepath to the loaded file. | ||
|
||
````yaml | ||
assets: | ||
- src: | ||
bitwarden: | ||
entry: 12345-12345-12345-abcd-12345 # Entry id | ||
attachment: my-attachment.txt # file name as shown in Bitwarden | ||
mappings: | ||
- env: | ||
name: MY_SECRET_FILE_PATH | ||
```` | ||
|
||
### Azure Key Vault | ||
|
||
#### Requirements | ||
|
||
- [Azure Cli](https://learn.microsoft.com/en-us/cli/azure/) must be installed | ||
|
||
#### Obtaining a value from a Azure Key Vault secret | ||
Sourcing values from an Azure Key Vault Secret requires the secrets unique identifier, | ||
which can be obtained by running | ||
|
||
````shell | ||
az keyvault secrete show --vault-name <NAME_OF_YOUR_KEYVAULT> --name <NAME_OF_YOUR_SECRET> | ||
```` | ||
|
||
> **Warning** | ||
> The returned entry id statically refers to the current secret's version. | ||
> In order to always use the current version, omit the last path segment. | ||
The following mapping will load the newest value of an Azure Key Vault secret and store it within the environment variable `MY_SECRET_VALUE`: | ||
````yaml | ||
assets: | ||
- src: | ||
azureKeyVaultSecret: | ||
# Key Vault Secret's id (the lat version path segment is omitted, in order to always use the newest value) | ||
itemId: https://MY_TEST_KEYVAULT.vault.azure.net/secrets/MY_TEST_ENTRY | ||
mappings: | ||
- env: | ||
name: MY_SECRET_VALUE | ||
```` | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
-----BEGIN PGP SIGNED MESSAGE----- | ||
Hash: SHA256 | ||
|
||
Contact: mailto:marcel.singer@live.de | ||
Expires: 2024-06-10T10:00:00.000Z | ||
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/78BBD1E6DE5E7F332D7E2562662DA03FFA9DD870 | ||
Preferred-Languages: en, de | ||
-----BEGIN PGP SIGNATURE----- | ||
|
||
iQGzBAEBCAAdFiEEeLvR5t5efzMtfiViZi2gP/qd2HAFAmSEjpgACgkQZi2gP/qd | ||
2HBEwwv/fKIF9ArYpGrpTU5voEDeUputjMoJQl9zX2qXLWeMjWJdSYocHhRQ7skd | ||
tjL4jkI2hz5oEEc/6Ccoszy1c3xw4OTa7A7oHGHi77gxkplj6q3LYPrAjIArHtbq | ||
AywNbytd3KOigPbcXq8oiOAqwCklzjJ73dMLgILwRwtowduJnoBYZZz+2LKMORdN | ||
oEVFZ3WzPFnf6uuoVUbNd/D2APWxoDlINP1eS3TjAy/SKvCudirutozsgf4sCqTJ | ||
YOH3et/60YGU3JafjF8cXpFyx+aL3PSFWC3tdrloScgej5P/W6ZT5JuNcZrmzHeV | ||
SopyCWsjpHMZbi+/dTBS48eV1nKzd6kXIiGXW30AWqP6Wp+h4e64Oz3zOhtsMZgI | ||
qI5c5UvsqU5J0YGzMWxSDfSnfdNt/81knoJsBz4RCWV2cVk6VM6hMPIOOg9YOhv6 | ||
afYArzv0L7cDsbsDkopImFyoQfQTWZ3pHwEGXSlYdEpuuDj3KU9ShiF2oAY0Dc5Y | ||
HW50rMEs | ||
=8nhK | ||
-----END PGP SIGNATURE----- |
Empty file.
Oops, something went wrong.