#secret

teller-core

A developer-first multi provider secret manager

5 stable releases

2.0.7 May 19, 2024
2.0.5 May 15, 2024
2.0.4 May 12, 2024

#159 in #secret


Used in teller

Apache-2.0

150KB
3K SLoC






💻 Never leave your terminal for secrets
📟 Create easy and clean workflows for working with cloud environments
🔎 Scan for secrets and fight secret sprawl


Teller - the open-source universal secret manager for developers

Never leave your terminal to use secrets while developing, testing, and building your apps.

Instead of custom scripts, tokens in your .zshrc files, visible EXPORTs in your bash history, misplaced .env.production files and more around your workstation -- just use teller and connect it to any vault, key store, or cloud service you like (Teller support Hashicorp Vault, AWS Secrets Manager, Google Secret Manager, and many more).

You can use Teller to tidy your own environment or for your team as a process and best practice.

Quick Start with teller

Download a binary Grab a binary from releases

Build from source Using this method will allow you to eye-ball the source code, review it, and build a copy yourself.

This will install the binary locally on your machine:

$ cd teller-cli
$ cargo install --path .

Create a new configuration

$ teller new
? Select your secret providers ›
 hashicorp_consul
 aws_secretsmanager
 ssm
 dotenv
 hashicorp
 google_secretmanager

Then, edit the newly created .teller.yml to set the maps and keys that you need for your providers.

A look at teller.yml

The teller YAML describes your providers and within each provider a map that describes:

  • What is the root path to fetch key-values from
  • For each such map, its unique id which will serve you for operations later
  • For each map, an optional specific key name mapping - you can rename keys that you will fetch from the source provider

Here's an example configuration file. Note that it also include templating constructs -- such as fetching environment variables while loading the configuration:

providers:
  hashi_1:
    kind: hashicorp
    maps:
      - id: test-load
        path: /{{ get_env(name="TEST_LOAD_1", default="test") }}/users/user1
        # if empty, map everything
        # == means map to same key name
        # otherwise key on left becomes right
        # in the future: key_transform: camelize, snake_case for automapping the keys
        keys:
          GITHUB_TOKEN: ==
          mg: FOO_BAR
  dot_1:
    kind: dotenv
    maps:
      - id: stg
        path: VAR_{{ get_env(name="STAGE", default="development") }}

You can now address these providers as hashi_1 or dot_1. Teller pulls the specified data from all providers by default.

Features

🏃 Running subprocesses

Manually exporting and setting up environment variables for running a process with demo-like / production-like set up?

Got bitten by using .env.production and exposing it in the local project itself?

Using teller and a .teller.yml file that exposes nothing to the prying eyes, you can work fluently and seamlessly with zero risk, also no need for quotes:

$ teller run --reset --shell -- node index.js

🔎 Inspecting variables

This will output the current variables teller picks up. Only first 2 letters will be shown from each, of course.

$ teller show

📺 Local shell population

Hardcoding secrets into your shell scripts and dotfiles?

In some cases it makes sense to eval variables into your current shell. For example in your .zshrc it makes much more sense to use teller, and not hardcode all those into the .zshrc file itself.

In this case, this is what you should add:

eval "$(teller sh)"

🐳 Easy Docker environment

Tired of grabbing all kinds of variables, setting those up, and worried about these appearing in your shell history as well?

Use this one liner from now on:

$ docker run --rm -it --env-file <(teller env) alpine sh

⚠️ Scan for secrets

Teller can help you fight secret sprawl and hard coded secrets, as well as be the best productivity tool for working with your vault.

It can also integrate into your CI and serve as a shift-left security tool for your DevSecOps pipeline.

Look for your vault-kept secrets in your code by running:

$ teller scan

You can run it as a linter in your CI like so:

run: teller scan --error-if-found

It will break your build if it finds something (returns exit code 1).

You can also export results as JSON with --json and scan binary files with -b.

♻️ Redact secrets from process outputs, logs, and files

You can use teller as a redaction tool across your infrastructure, and run processes while redacting their output as well as clean up logs and live tails of logs.

Pipe any process output, tail or logs into teller to redact those, live:

$ cat some.log | teller redact

It should also work with tail -f:

$ tail -f /var/log/apache.log | teller redact

Finally, if you've got some files you want to redact, you can do that too:

$ teller redact --in dirty.csv --out clean.csv

If you omit --in Teller will take stdin, and if you omit --out Teller will output to stdout.

📜 Populate templates

You can populate custom templates:

$ teller template --in config-templ.t

Template format is Tera which is very similar to liquid or handlebars.

Here is an example template:

production_var: {{ key(name="PRINT_NAME")}}
production_mood: {{ key(name="PRINT_MOOD")}}

🔄 Copy/sync data between providers

In cases where you want to sync between providers, you can do that with teller copy.

Specific mapping key sync

You can use the <provider name>/<map id> format to copy a mapping from a provider to another provider:

$ teller copy --from source/dev --to target/prod,<...>

In this simplistic example, we use the following configuration file

providers:
  dot1:
    kind: dotenv
    maps:
      - id: one
        path: one.env
  dot2:
    kind: dotenv
    maps:
      - id: two
        path: two.env

This will:

  1. Grab all mapped values from source mapping
  2. For each target provider, find the matching mapping, and copy the values from source into it

By default copying will update target mapping (upsert data), if you want to replace you can use --replace.

🚲 Write and multi-write to providers

Teller providers supporting write use cases which allow writing values into providers.

Remember, for this feature it still revolves around definitions in your teller.yml file:

$ teller put --providers new --map-id one NEW_VAR=s33kret

In this example, this configuration is being used:

providers:
  new:
    kind: dotenv
    maps:
      - id: one
        path: new.env

A few notes:

  • Values are key-value pair in the format: key=value and you can specify multiple pairs at once
  • When you're specifying a literal sensitive value, make sure to use an ENV variable so that nothing sensitive is recorded in your history
  • The flag --providers lets you push to one or more providers at once

❌ Delete and multi-delete from providers

Teller providers support deleting values from providers.

$ teller delete --providers new --map-id one DELETE_ME

A few notes:

  • You can specify multiple keys to delete, for example:
  • The flag --providers lets you push to one or more providers at once

YAML Export in YAML format

XXX TODO: rewrite how the command export works

You can export in a YAML format, suitable for GCloud:

$ teller export yaml

Example format:

FOO: "1"
KEY: VALUE

JSON Export in JSON format

You can export in a JSON format, suitable for piping through jq or other workflows:

$ teller export json

Example format:

{
  "FOO": "1"
}

Providers

You can get a list of the providers and their described configuration values in the documentation.

Testing check list:

  • docker on windows: if you have a container based test that uses Docker, make sure to exclude it on Windows using #[cfg(not(windows))]

  • resource semantics: while building providers, align with the semantics of empty and not found as two different semantics: if a provider supports an explicit "not found" semantic (404, NotFound, etc.), use Error::NotFound. Otherwise when a provider signals a "not found" semantic as an empty data bag, return an empty KV[] (i.e. do not translate a sematic of "empty" into "not found").

Testing

Testing is done with:

$ cargo test --all --all-features

And requires Docker (or equivalent) on your machine.

Thanks:

To all Contributors - you make this happen, thanks!

Code of conduct

Teller follows CNCF Code of Conduct

Copyright

Copyright (c) 2024 @jondot. See LICENSE for further details.

Dependencies

~15–26MB
~367K SLoC