retriever

Easily fetch secrets from AWS Parameter Store or Secrets Manager.

After a week where I wrote two CLIs and a small web service that required copying and pasting the same secret-fetching boilerplate, I decided to abstract the boring details.

Usage

Configure using YAML or environment thanks to viper. Some examples...

Parameter Store with many secrets under one prefix:

type: parameter
prefix: /foo
credentials:
  - BAR
  - BAZ_QUX

Parameter Store with different secret prefixes (note: no leading /):

type: parameter
credentials:
  - foo/BAR
  - baz/QUX

Same rules for Secrets Manager, just change type:

type: secret
prefix: /foo
credentials:
  - BAR
  - BAZ_QUX

Environment variables are prefixed with RTVR_ and have the same keys as YAML.

❯ RTVR_TYPE="secret" RTVR_PREFIX="/foo" RTVR_CREDENTIALS="BAR" aws-vault exec dev -- go run main.go
INFO: retriever not config found; using environment
RESULT: map[BAR:{"key1":"value1","key2":"value2"}]%

❯ RTVR_TYPE="parameter" RTVR_CREDENTIALS="foo/BAR QUX" aws-vault exec dev -- go run main.go
INFO: retriever not config found; using environment
RESULT: map[QUX:top secret foo/BAR:baz]%

To dispel any magic, test code is just:

package main

import (
        "fmt"
        "log"

        "github.com/deadlysyn/retriever"
)

func main() {
        c, err := retriever.Fetch()
        if err != nil {
                log.Fatalf("CALLER: %v", err)
        }
        fmt.Printf("RESULT: %+v", c)
}

Of course the idea is not to print things, but to use returned values. Fetch() returns a map of credentials with keys equal to secret names. Let's see that in action:

type: parameter
prefix: /app/dev
credentials:
  - CONSUMER_SECRET
  - CONSUMER_KEY
  - OAUTH_TOKEN
  - OAUTH_TOKEN_SECRET

package main

import (
    // ...

    "github.com/deadlysyn/retriever"
)

var (
    creds = make(map[string]string)
)

func init() {
    creds, err := retriever.Fetch()
    if err != nil {
        log.Fatalf("deal with it: %v", err)
    }
}

func getClient(ctx context.Context) *http.Client {
    keyDERBlock, _ := pem.Decode([]byte(creds["CONSUMER_SECRET"]))
    privateKey, _ := x509.ParsePKCS1PrivateKey(keyDERBlock.Bytes)

    config := oauth1.Config{
        ConsumerKey: creds["CONSUMER_KEY"],
        // etc...
    }

    tok := &oauth1.Token{
        Token:       creds["OAUTH_TOKEN"],
        TokenSecret: creds["OAUTH_TOKEN_SECRET"],
    }

    return config.Client(ctx, tok)
}

// ...

TODO

Secrets Manager versioning
Customer managed KMS keys
Values other than strings (?)
Ideas? Open an issue or PR.

Thanks

On the shoulders of giants.

Name		Name	Last commit message	Last commit date
Latest commit History 35 Commits
assets		assets
.envrc		.envrc
.gitignore		.gitignore
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
go.mod		go.mod
go.sum		go.sum
retriever.go		retriever.go
retriever.yml.parameter		retriever.yml.parameter
retriever.yml.secret		retriever.yml.secret
retriever_test.go		retriever_test.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

retriever

Usage

TODO

Thanks

About

Releases 4

Packages

Languages

License

deadlysyn/retriever

Folders and files

Latest commit

History

Repository files navigation

retriever

Usage

TODO

Thanks

About

Resources

License

Stars

Watchers

Forks

Releases 4

Packages 0

Languages

Packages