Lib.rs

Network programming
#secret #secrets-manager #aws

app barberousse

A utility to edit secrets from AWS Secrets Manager without storing them locally

by Mohamed Zenadi

6 releases

0.1.6 Aug 1, 2020
0.1.4 Jul 8, 2020
0.1.3 Jun 25, 2020

#13 in #secrets

MIT and LGPL-3.0-or-later

25KB
332 lines

Barberousse - Remote Secrets Editor

:toc: :toc-title:

width=120,align=center

About

A project aimed to avoid downloading secrets from remote providers (support only AWS Secret Manager for the moment). Opens an editor with the content of the secret readily editable, upon save & exit, the secret is automatically uploaded and a new version created remotely. This way, no need to use common bad-practices such as versionning secrets in a VCS or worst, storing them on your machine and sending them via slack :)

NOTE: This project is at its earliest stage a project can be, i.e. a proof of concept that might or not develop into a full fledged project.

Usage

Options

Just like awscli, you can customize the profile and region to use: .... OPTIONS: -P, --profile Use a specific aws profile, overrides config and env settings

-R, --region The region where the secret is, overrides config and env settings ....

These are global options, and can be set anywhere in the command.

Printing

Cat your secret in a nice format into stdout

By default the remote secret is read as a json secret and printed in yaml for ease of read. However, you can customize this behavior to your choosing by passing the print format defining how you want your secrets to be formatted, and secret format defining the format of the remote secret. .... ARGS: The id of the secret to print

FLAGS: -n, --no-color Do not color the output, this behavior is the same as when piping to another program

OPTIONS: -p, --print-format The format used to print the secret, if the secret's format is text, this will be ignored and defaults to text too [default: yaml] [possible values: json, yaml, text]

-s, --secret-format The format of the secret's remote storage [default: json] [possible values: json, yaml, text] ....

The output is pretty-printed, and color highlighted by default. Disable that by using --print-format=text

  • YAML output (default)

❯❯❯ barberousse cat /test/file --print-format yaml 1 │ --- 2 │ a: secret 3 │ another: secret value

  • JSON output

❯❯❯ barberousse cat /test/file --print-format json 1 │ { 2 │ "a": "secret", 3 │ "another": "secret value" 4 │ }

  • JSON output piped to jq

❯❯❯ barberousse cat /test/file --print-format json | jq -r '.a' secret

How it may look like on your terminal:

Editing

Allows you to edit a remote secret without saving it on disk (a temp file is created though... a more secure way to handle temp files will come in the future, see #3). You can use different formats to edit your secret (json, yaml, plain text).

.... ARGS: The id of the secret to edit

OPTIONS: -e, --edit-format The format used to edit the secret, if the secret's format is text, this will be ignored and defaults to text too [default: yaml] [possible values: json, yaml, text]

-s, --secret-format The format of the secret's remote storage [default: json] [possible values: json, yaml, text]

--editor Override the default editor, $EDITOR, used for editing the secret ....

  • To edit in YAML a JSON secret (default):

    ❯❯❯ barberousse edit /test/file --edit-format yaml --secret-format json

  • To edit in JSON a JSON secret:

    ❯❯❯ barberousse edit /test/file --edit-format json --secret-format json

How it may look like on your terminal:

Copying

By copying a secret, you can customize them for different usage. Use this feature wisely as it may lead to re-using the secrets and this is not a good practice.

.... ARGS: The id of the secret to copy The id of the secret to create

OPTIONS: -e, --edit-format The format used to edit the secret, if the secret's format is text, this will be ignored and defaults to text too [default: yaml] [possible values: json, yaml, text]

-s, --secret-format The format of the secret's remote storage [default: json] [possible values: json, yaml, text]

--editor Override the default editor, $EDITOR, used for editing the secret

--target-region Use a different region for the target secret

....

  • To copy a JSON secret and edit it in YAML (default):

    ❯❯❯ barberousse copy /test/file /test/file2

  • To copy a secret from one region to another:

    ❯❯❯ barberousse copy /test/file /test/file2 --region eu-west-1 --target-region eu-west-3

RoadMap

1.0

We're almost there!

  • General
  • Support selecting profiles and regions (env variables are supported though)
  • Editing
  • Edit JSON, YAML, text
  • Edit JSON using YAML (default behavior)
  • Edit using
  • Create a secret if not exist
  • Custom editor selection, pass --editor
  • Printing
  • Cat the content of a secret in one or many other formats
  • Copy
  • Duplicate a secret (and open an editor before saving the copy)
  • Support cross region

1.1

Some extra features to edit non-content info. This should be more an interactive process overall otherwise it would not make sense to have them as the aws cli already provides a good api to do exactly that.

  • Edit secret's metadata (description and KMS key): replaces the update-secret --description "" --kms-key-id ""
  • Print secret's metadata

Future

Open to suggestions!

Dependencies

~29–43MB
~610K SLoC