pstore is a tiny utility to make usage of AWS Parameter Store an
absolute breeze. Simply prefix your application launch with pstore exec <yourapp>
and you're up and running - in dev or prod.
AWS ECS now has support for specifying secrets from Parameter Store directly
in ECS task definitions, making pstore obsolete for some use cases.
pstore expects the AWS_REGION environment variable to be set to the region
that your parameters are stored in.
AWS_REGION=us-east-1 PSTORE_DBSTRING=MyDatabaseString pstore exec -- 'echo val is $DBSTRING'
val is SomeSuperSecretDbString
pstore is usable out of the box. By default it looks for environment variables
with a PSTORE_ prefix. For example, PSTORE_DBSTRING=MyDatabaseString asks
AWS to decrypt the parameter named MyDatabaseString and stores the decrypted
value in a new environment variable named DBSTRING. If there are no envvars
with the PSTORE_ prefix, it's essentially a noop - so the same command can be
used in local dev and in prod.
If pstore fails to decrypt any envvars it will exit instead of launching your
application.
Sometimes you don't want to exec the child process directly. You want to use the decrypted values as part of a larger script. In that case you can do:
#!/bin/bash
# do some stuff ...
eval $(PSTORE_DBSTRING=MyDatabaseString pstore shell)
echo $DBSTRING # will echo out your secret string!
Same as the above, albeit for our Windows friends.
$Env:PSTORE_DBSTRING = "MyDatabaseString"
$Cmd = (pstore powershell mycompany-prod) | Out-String
Invoke-Expression $Cmd
Do-SomethingWith -DbString $DBSTRING
Quickly interrogate parameters for a given path or path prefix:
$ pstore show "/company/princess/lambdas"
/company/princess/lambdas/execution/env/MyDatabaseString : SomeSuperSecretDbString
/company/princess/lambdas/execution/env/NODE_ENV : production
/company/princess/lambdas/execution/env/LOGLEVEL : excessive
pstore also works with tagged parameters, which can be helpful when you have
a lot of parameters and don't want to enumerate them all individually. You can
specify PSTORETAG_tagkey=tagval and pstore will retrieve all parameters with
tagkey=tagval. pstore will expect to find an additional tag on these parameters,
pstore:name=ENVVAR. pstore then sets ENVVAR=value in the environment.
The PSTORE_ and PSTORETAG_ prefixes are configurable if you want to use
something else. If you want to use MYSECRETS_ as a prefix, simply invoke
pstore exec --prefix MYSECRETS_ <yourapp>.
Finally, for debugging there is the pstore exec --verbose <yourapp> flag.
Before launching, pstore will output what its doing to stdout, e.g.
$ pstore exec --verbose <yourapp>
✔ Decrypted MYREALSECRET︎
✗ Failed to decrypt PstoreVal (MYLAMESECRET)
ERROR: Failed to decrypt some secret values
pstore is well-suited to acting as an entrypoint for a Dockerised application.
Adding it to your project is as simple as:
FROM alpine
RUN apk add --update curl
RUN curl -sL -o /usr/bin/pstore https://github.com/glassechidna/pstore/releases/download/1.5.0/pstore_linux_amd64
RUN chmod +x /usr/bin/pstore
ENTRYPOINT ["pstore", "exec", "--verbose", "--"]
CMD env
Note that https requests made require ca-certificates. Alpine does not ship them by default anymore. In the above example this package is installed because curl also needs them, but if you install without curl or your Dockerfile removes curl, you need to explicitly have RUN apk add ca-certificates. Without these you will get a runtime error x509: failed to load system roots and no roots provided.