{"id":17650178,"url":"https://github.com/busser/murmur","last_synced_at":"2025-04-05T12:05:39.054Z","repository":{"id":53057515,"uuid":"517709998","full_name":"busser/murmur","owner":"busser","description":"Pass secrets as environment variables to a process","archived":false,"fork":false,"pushed_at":"2025-04-02T02:28:10.000Z","size":516,"stargazers_count":123,"open_issues_count":12,"forks_count":7,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-02T03:28:14.942Z","etag":null,"topics":["aws","azure-keyvault","gcp","scaleway","secret-management","secrets"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/busser.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-25T14:59:20.000Z","updated_at":"2025-02-26T09:01:52.000Z","dependencies_parsed_at":"2023-10-03T12:34:12.540Z","dependency_job_id":"64d00514-87a0-4cba-9871-810dc6209fcd","html_url":"https://github.com/busser/murmur","commit_stats":{"total_commits":467,"total_committers":7,"mean_commits":66.71428571428571,"dds":"0.11991434689507496","last_synced_commit":"4bb5fb9d3dc6b9872048e3d490f951d5e20bf413"},"previous_names":["busser/whisper"],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/busser%2Fmurmur","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/busser%2Fmurmur/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/busser%2Fmurmur/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/busser%2Fmurmur/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/busser","download_url":"https://codeload.github.com/busser/murmur/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247332604,"owners_count":20921853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure-keyvault","gcp","scaleway","secret-management","secrets"],"created_at":"2024-10-23T11:36:48.258Z","updated_at":"2025-04-05T12:05:39.012Z","avatar_url":"https://github.com/busser.png","language":"Go","funding_links":[],"categories":["Secret Management"],"sub_categories":[],"readme":"# 🤫 Murmur \u003c!-- omit in toc --\u003e\n\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![Go Report Card](https://goreportcard.com/badge/github.com/busser/murmur)](https://goreportcard.com/report/github.com/busser/murmur)\n![tests-passing](https://github.com/busser/murmur/actions/workflows/ci.yml/badge.svg)\n\nPlug-and-play executable to pass secrets as environment variables to a process.\n\nMurmur is a small binary that reads its environment variables, replaces\nreferences to secrets with the secrets' values, and passes the resulting\nvariables to your application. Variables that do not reference secrets are\npassed as-is.\n\nSeveral tools like Murmur exist, each supporting a different secret provider.\nMurmur aims to support as many providers as possible, so you can use Murmur no\nmatter which provider you use.\n\n|                                                            | Scaleway | AWS | Azure | GCP | Vault | 1Password | Doppler |\n| ---------------------------------------------------------- | -------- | --- | ----- | --- | ----- | --------- | ------- |\n| 🤫 Murmur                                                  | ✅       | ✅  | ✅    | ✅  | ❌    | ❌        | ❌      |\n| [Berglas](https://github.com/GoogleCloudPlatform/berglas)  | ❌       | ❌  | ❌    | ✅  | ❌    | ❌        | ❌      |\n| [Bank Vaults](https://github.com/banzaicloud/bank-vaults)  | ❌       | ❌  | ❌    | ❌  | ✅    | ❌        | ❌      |\n| [1Password CLI](https://developer.1password.com/docs/cli/) | ❌       | ❌  | ❌    | ❌  | ❌    | ✅        | ❌      |\n| [Doppler CLI](https://github.com/DopplerHQ/cli)            | ❌       | ❌  | ❌    | ❌  | ❌    | ❌        | ✅      |\n\n_If you know of a similar tool that is not listed here, please open an issue so\nthat we can add it to the list._\n\n_If you use a secret provider that is not supported by Murmur, please open an\nissue so that we can track demand for it._\n\n- [Fetching a database password](#fetching-a-database-password)\n- [Adding Murmur to a container image](#adding-murmur-to-a-container-image)\n- [Adding Murmur to a Kubernetes pod](#adding-murmur-to-a-kubernetes-pod)\n- [Parsing JSON secrets](#parsing-json-secrets)\n- [Providers and filters](#providers-and-filters)\n  - [`scwsm` provider: Scaleway Secret Manager](#scwsm-provider-scaleway-secret-manager)\n  - [`awssm` provider: AWS Secrets Manager](#awssm-provider-aws-secrets-manager)\n  - [`azkv` provider: Azure Key Vault](#azkv-provider-azure-key-vault)\n  - [`gcpsm` provider: GCP Secret Manager](#gcpsm-provider-gcp-secret-manager)\n  - [`passthrough` provider: no-op](#passthrough-provider-no-op)\n  - [`jsonpath` filter: JSON parsing and templating](#jsonpath-filter-json-parsing-and-templating)\n- [Changes from v0.4 to v0.5](#changes-from-v04-to-v05)\n\n## Fetching a database password\n\nMurmur runs as a wrapper around any command. For example, if you want to connect\nto a PostgreSQL database, instead of running this command:\n\n```bash\nexport PGPASSWORD=\"Q-gVzyDPmvsX6rRAPVjVjvfvR@KGzPJzCEg2\"\npsql -h 10.1.12.34 -U my-user -d my-database\n```\n\nYou run this instead:\n\n```bash\nexport PGPASSWORD=\"scwsm:database-password\"\nmurmur run -- psql -h 10.1.12.34 -U my-user -d my-database\n```\n\nMurmur will fetch the value of the `database-password` secret from Scaleway\nSecret Manager, set the `PGPASSWORD` environment variable to that value, and\nthen run `psql`.\n\n## Adding Murmur to a container image\n\nMurmur is a static binary, so you can simply copy it into your container image\nand use it as your entrypoint. For convenience, the murmur binary is released as\na container image you can copy from in your Dockerfile:\n\n```dockerfile\nCOPY --from=ghcr.io/busser/murmur:latest /murmur /bin/murmur\n```\n\nThen you can change your image's entrypoint:\n\n```dockerfile\n# from this:\nENTRYPOINT [\"/bin/run-my-app\"]\n# to this:\nENTRYPOINT [\"/bin/murmur\", \"run\", \"--\", \"/bin/run-my-app\"]\n```\n\n## Adding Murmur to a Kubernetes pod\n\nYou can use Murmur in a Kubernetes pod even if your application's container\nimage does not include Murmur. To do so, you can use an init container that\ncopies Murmur into an emptyDir volume, and then use that volume in your\napplication's container.\n\nHere is an example:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n  name: my-app\nspec:\n  initContainers:\n    - name: copy-murmur\n      image: ghcr.io/busser/murmur:latest\n      command: [\"cp\", \"/murmur\", \"/shared/murmur\"]\n      volumeMounts:\n        - name: shared\n          mountPath: /shared\n  containers:\n    - name: my-app\n      image: my-app:latest\n      command: [\"/shared/murmur\", \"run\", \"--\", \"/bin/run-my-app\"]\n      volumeMounts:\n        - name: shared\n          mountPath: /shared\n  volumes:\n    - name: shared\n      emptyDir: {}\n```\n\n## Parsing JSON secrets\n\nStoring secrets as JSON is a common pattern. For example, a secret might contain\na JSON object with multiple fields:\n\n```json\n{\n  \"host\": \"10.1.12.34\",\n  \"port\": 5432,\n  \"database\": \"my-database\",\n  \"username\": \"my-user\",\n  \"password\": \"Q-gVzyDPmvsX6rRAPVjVjvfvR@KGzPJzCEg2\"\n}\n```\n\nMurmur can parse that JSON and set environment variables for each field by using\nthe `jsonpath` filter:\n\n```bash\nexport PGHOST=\"scwsm:database-credentials|jsonpath:{.host}\"\nexport PGPORT=\"scwsm:database-credentials|jsonpath:{.port}\"\nexport PGDATABASE=\"scwsm:database-credentials|jsonpath:{.database}\"\nexport PGUSER=\"scwsm:database-credentials|jsonpath:{.username}\"\nexport PGPASSWORD=\"scwsm:database-credentials|jsonpath:{.password}\"\nmurmur run -- psql\n```\n\nIf you have multiple references to the same secret, Murmur will fetch the secret\nonly once to avoid unnecessary API calls.\n\nAlternatively, you can use the `jsonpath` filter to set a single environment\nvariable with the entire JSON object:\n\n```bash\n# psql supports connection strings, so we can use a single variable\nexport PGDATABASE=\"scwsm:database-credentials|jsonpath:postgres://{.username}:{password}@{.host}:{.port}/{.database}\"\nmurmur run -- psql\n```\n\nMurmur uses the Kubernetes JSONPath syntax for the `jsonpath` filter. See the\n[Kubernetes documentation](https://kubernetes.io/docs/reference/kubectl/jsonpath/)\nfor a full list of capabilities.\n\n## Providers and filters\n\nMurmur's architecture is built around providers and filters. Providers fetch\nsecrets from a secret manager, and filters parse and transform the secrets.\n\nMurmur only edits environment variables which contain valid queries. A valid\nquery is structured as follows:\n\n```plaintext\nprovider_id:secret_ref|filter_id:filter_rule\n```\n\nUsing a filter is optional, so this is also a valid query:\n\n```plaintext\nprovider_id:secret_ref\n```\n\nMurmur does not support chaining multiple filters yet.\n\n### `scwsm` provider: Scaleway Secret Manager\n\nTo fetch a secret from [Scaleway Secret Manager](https://www.scaleway.com/en/secret-manager/),\nthe query must be structured as follows:\n\n```plaintext\nscwsm:[region/]{name|id}[#version]\n```\n\nIf `region` is not specified, Murmur will delegate region selection to the\nScaleway SDK. The SDK determines the region based on the environment, by looking\nat environment variables and configuration files.\n\nOne of `name` or `id` must be specified. Murmur guesses whether the string is a\nname or an ID depending on whether it is a valid UUID. UUIDs are treated as IDs,\nand other strings are treated as names.\n\nThe `version` must either be a positive integer or the \"latest\" string. If\n`version` is not specified, Murmur defaults to \"latest\".\n\nExamples:\n\n```plaintext\nscwsm:my-secret\nscwsm:my-secret#123\nscwsm:my-secret#latest\n\nscwsm:fr-par/my-secret\nscwsm:fr-par/my-secret#123\nscwsm:fr-par/my-secret#latest\n\nscwsm:3f34b83f-47a6-4344-bcd4-b63721481cd3\nscwsm:3f34b83f-47a6-4344-bcd4-b63721481cd3#123\nscwsm:3f34b83f-47a6-4344-bcd4-b63721481cd3#latest\n\nscwsm:fr-par/3f34b83f-47a6-4344-bcd4-b63721481cd3\nscwsm:fr-par/3f34b83f-47a6-4344-bcd4-b63721481cd3#123\nscwsm:fr-par/3f34b83f-47a6-4344-bcd4-b63721481cd3#latest\n```\n\nMurmur uses the environment's default credentials to authenticate to Scaleway.\nYou can configure Murmur the same way you can [configure the `scw` CLI](https://github.com/scaleway/scaleway-cli/blob/master/docs/commands/config.md).\n\n### `awssm` provider: AWS Secrets Manager\n\nTo fetch a secret from [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/),\nthe query must be structured as follows:\n\n```plaintext\nawssm:{name|arn}[#{version_id|version_stage}]\n```\n\nOne of `name` or `arn` must be specified. You can use a full or partial ARN.\nHowever, if your secret's name ends with a hyphen followed by six characters,\nyou should not use a partial ARN. See [these AWS docs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen)\nfor more information.\n\nYou can optionally specify one of `version_id` or `version_stage`. Murmur\nguesses whether the string is an ID or a stage depending on whether it is a\nvalid UUID. UUIDs are treated as version IDs, and other strings are treated as\nversion stages. If neither `version_id` or `version_stage` are specified, Murmur\ndefaults to \"AWSCURRENT\".\n\nExamples:\n\n```plaintext\nawssm:my-secret\nawssm:my-secret#MY_VERSION_STAGE\nawssm:my-secret#9517cc59-646a-4393-81d7-5e6f2d43cbe7\n\nawssm:arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret\nawssm:arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret#MY_VERSION_STAGE\nawssm:arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret#9517cc59-646a-4393-81d7-5e6f2d43cbe7\n```\n\nMurmur uses the environment's default credentials to authenticate to AWS.\nYou can configure Murmur the same way you can [configure the `aws` CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).\n\n### `azkv` provider: Azure Key Vault\n\nTo fetch a secret from [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/),\nthe query must be structured as follows:\n\n```plaintext\nazkv:keyvault_hostname/name[#version]\n```\n\nThe `keyvault_hostname` must be the fully qualified domain name of the Key\nVault. For example, if your Key Vault's URL is `https://example.vault.azure.net/`,\nthen the `keyvault_hostname` is `example.vault.azure.net`.\n\nThe `name` is the name of the secret.\n\nThe `version` must be a valid version ID. If `version` is not specified, Murmur\ndefaults to the latest version of the secret.\n\nExamples:\n\n```plaintext\nazkv:example.vault.azure.net/my-secret\nazkv:example.vault.azure.net/my-secret#5ddc29704c1c4429a4c53605b7949100\n```\n\nMurmur uses the environment's default credentials to authenticate to Azure. You\ncan set these credentials with the [environment variables listed here](https://github.com/Azure/azure-sdk-for-go/wiki/Set-up-Your-Environment-for-Authentication#configure-defaultazurecredential),\nor with workload identity.\n\n### `gcpsm` provider: GCP Secret Manager\n\nTo fetch a secret from [GCP Secret Manager](https://cloud.google.com/secret-manager),\nthe query must be structured as follows:\n\n```plaintext\ngcpsm:project/name[#version]\n```\n\nThe `project` must be either a project ID or a project number.\n\nThe `name` is the name of the secret.\n\nThe `version` must be a valid version number. If `version` is not specified,\nMurmur defaults to the latest version of the secret.\n\n### `passthrough` provider: no-op\n\nThis provider is meant for demo and testing purposes. It does not fetch any\nsecrets and simply returns the secret reference as the secret's value.\n\nThis provider, like all other providers, is fully tested. It is safe to use in\nproduction, although why would you?\n\nExamples:\n\n```plaintext\npassthrough:my-not-so-secret-value\n```\n\n### `jsonpath` filter: JSON parsing and templating\n\nTo parse a JSON secret and extract a value from it, or to use a secret value in\na template, the query must be stuctured as follows:\n\n```plaintext\nprovider_id:secret_ref|jsonpath:template\n```\n\nThe `provider_id` and `secret_ref` can be any valid secret reference.\n\nThe `template` is a [JSONPath template](https://kubernetes.io/docs/reference/kubectl/jsonpath/).\nMurmur uses the Kubernetes JSONPath implementation, so you can use any feature\ndescribed in the Kubernetes docs.\n\nIf the secret's value is not valid JSON, Murmur will treat it as a string and\nexecute the template anyway. This means that you can use JSONPath templates with\nnon-JSON secrets.\n\nExamples:\n\n```plaintext\nscwsm:my-secret|jsonpath:{.password}\nscwsm:my-secret|jsonpath:postgres://{.username}:{.password}@{.hostname}:{.port}/{.database}\nscwsm:my-secret|jsonpath:the secret is {@}\n```\n\n## Changes from v0.4 to v0.5\n\nFollowing community feedback, we have made two significant changes in v0.5:\n\n1. We have renamed the project from \"Whisper\" to \"Murmur\", to make the project\n   documentation easier to find on search engines.\n2. We have renamed the `exec` command to `run`, to make it clear that we are not\n   executing the command directly, but rather running it as a subprocess.\n\nWe have made it so that none of these changes are breaking. You can upgrade to\nv0.5 without changing anything in how you use Whisper/Murmur.\n\nWe now publish binaries and container images with both names. The `exec` command\nis still available, but it will log a warning message telling you to use the new\n`run` command instead.\n\nWe recommend that you update your scripts to use the new name and command, but\nyou have all the time you need to do so.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbusser%2Fmurmur","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbusser%2Fmurmur","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbusser%2Fmurmur/lists"}