A gosu port which will load secrets from various secrets backends into the environment before exec'ing your baby.
Enable providers by setting VEST_PROVIDERS in the environment before running vest
Available providers:
Alpine and Ubuntu based docker images are available at quay.io/lumoslabs/vestibule
This project uses goreleaser for building and publishing. Install instructions for goreleaser are here.
The handy Makefile here provides targets:
snapshot: Use goreleaser to make an unpublished snapshot buildrelease: Use goreleaser to cut and publish a real releasetest: Run go teststest-race: Run go tests with-racetest-memory: Run go tests with-msantest-all: Run all testslinux: Usego buildto buildvestibuleforlinuxdarwin: Usego buildto buildvestibulefordarwin
Usage: vest user-spec command [args] eg: vest myuser bash vest nobody:root bash -c 'whoami && id' vest 1000:1 id Environment Variables: VEST_DEBUG Enable debug logging. VEST_PROVIDERS Comma separated list of enabled providers. By default only Vault is enabled. Available providers: [dotenv ejson vault sops] VEST_UPCASE_VAR_NAMES Upcase environment variable names gathered from secret providers. Default: true VEST_USER The user [and group] to run the command as. Overrides commandline if set. e.g. VEST_USER=user[:group] VEST_VERBOSE Enable verbose logging. AWS_PROFILE AWS profile to use in the shared credentials file. Defaults to "default" AWS_SHARED_CREDENTIALS_FILE Path to the AWS shared credentials file to write credentials to. Defaults to "/var/run/aws/credentials" GOOGLE_CREDENTIALS_FILE Path to the GCP service account credentials file to create. Defaults to "/var/run/gcp/creds.json" VAULT_* All vault client configuration environment variables are respected. More information at https://www.vaultproject.io/docs/commands/#environment-variables VAULT_APP_JWT The jwt for use with OIDC/JWT authentication VAULT_APP_ROLE Either the role id for AppRole authentication, or the role name fo Kubernetes authentication. VAULT_APP_SECRET The secret id for use with AppRole authentication VAULT_AUTH_DATA Data payload to send with authentication request. JSON object. VAULT_AUTH_METHOD Authentication method for vault. Default is "kubernetes". VAULT_AUTH_PATH Authentication path for vault authentication - e.g. okta/login/:user. Overrides VAULT_AUTH_METHOD if set. VAULT_AWS_PATH Mountpoint for the vault AWS secret engine. Defaults to "aws". VAULT_AWS_ROLE Name of the aws role to generate credentials against. If credentials are returned, the access key and secret key will be injected into the process environment using the standard environment variables and a credentials file will be written to the path from AWS_SHARED_CREDENTIALS_FILE (by default "/var/run/aws/credentials") VAULT_GCP_CRED_TYPE GCP credential type to generate. Defaults to key. Accepted values are [token key] VAULT_GCP_PATH Mountpoint for the vault GCP secret engine. Defaults to "gcp". VAULT_GCP_ROLE Name of the GCP role in vault to generate credentials against. VAULT_IAM_ROLE [DEPRECATED] Name of the aws role to generate credentials against. VAULT_KV_KEYS If VAULT_KV_KEYS is set, will iterate over each key (colon separated), attempting to get the secret from Vault. Secrets are pulled at the optional version or latest, then injected into Environ. If running in Kubernetes, the Pod's ServiceAccount token will automatically be looked up and used for Vault authentication. e.g. VAULT_KV_KEYS=/path/to/key1[@version]:/path/to/key2[@version]:... DOTENV_FILES if DOTENV_FILES is set, will iterate over each file, parse and inject into Environ. If DOTENV_FILES is not set, will look for any .env files in CWD. e.g. DOTENV_FILES=/path/to/file1:/path/to/file2:... EJSON_FILES If EJSON_FILES is set, will iterate over each file (colon separated), attempting to decrypt using keys from EJSON_KEYS. If EJSON_FILES is not set, will look for any .ejson files in CWD. Cleartext decrypted json will be parsed into a map[string]string and injected into Environ. e.g. EJSON_FILES=/path/to/file1:/path/to/file2:... EJSON_KEYS Colon separated list of public/private ejson keys. Public/private keys separated by semicolon. e.g. EJSON_KEYS=pubkey1;privkey1:pubkey2;privkey2:... SOPS_FILES If SOPS_FILES is set, will iterate over each file (colon separated), attempting to decrypt with Sops. The decrypted cleartext file can be optionally written out to a separate location (with optional filemode) or will be parsed into a map[string]string and injected into Environ e.g. SOPS_FILES=/path/to/file[;/path/to/output[;mode]]:... Sometimes you just need credentials to be on disk, amirite?
If so, you can run bule to write gathered secrets to a given file in a given format. All provider environment variables from vest are also applicable with bule
e.g. VAULT_KV_KEYS=secret/db-creds bule /var/secrets/db-creds.json usage: bule [<flags>] <file> Write secrets to a file! What could go wrong? Flags: -h, --help Show context-sensitive help (also try --help-long and --help-man). -D, --debug Debug output -v, --verbose Verbose output -F, --format=json Format of the output file. Available formats: [dotenv env json toml yaml yml] -p, --provider=vault ... Secret provider. Can be used multiple times. Available providers: [dotenv ejson vault sops] --upcase-var-names Upcase environment variable names gathered from secret providers. --version Show application version. Args: <file> Path of output file