{"id":37973489,"url":"https://github.com/h0n9/cloud-secrets-manager","last_synced_at":"2026-01-16T18:26:12.323Z","repository":{"id":49785355,"uuid":"518054773","full_name":"h0n9/cloud-secrets-manager","owner":"h0n9","description":"A tool to inject cloud-based secrets into Kubernetes pods","archived":false,"fork":false,"pushed_at":"2025-07-19T11:30:37.000Z","size":401,"stargazers_count":21,"open_issues_count":4,"forks_count":0,"subscribers_count":2,"default_branch":"develop","last_synced_at":"2025-07-19T16:14:08.810Z","etag":null,"topics":["aws","cloud","devops","gcp","injector","kubernetes","secrets"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/h0n9.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-07-26T12:36:05.000Z","updated_at":"2025-07-19T11:29:11.000Z","dependencies_parsed_at":"2023-01-18T14:30:16.619Z","dependency_job_id":"7ca4a10a-72be-4903-9f9d-3b48105e5362","html_url":"https://github.com/h0n9/cloud-secrets-manager","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/h0n9/cloud-secrets-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0n9%2Fcloud-secrets-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0n9%2Fcloud-secrets-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0n9%2Fcloud-secrets-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0n9%2Fcloud-secrets-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/h0n9","download_url":"https://codeload.github.com/h0n9/cloud-secrets-manager/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0n9%2Fcloud-secrets-manager/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28480754,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud","devops","gcp","injector","kubernetes","secrets"],"created_at":"2026-01-16T18:26:11.533Z","updated_at":"2026-01-16T18:26:12.287Z","avatar_url":"https://github.com/h0n9.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloud Secrets Manager 🌤🔐🐳\n\nThis simple yet powerful tool **Cloud Secrets Manager** aims to simplify the way\nto inject secrets strored on Cloud-based secrets managers into Kubernetes Pods,\nfunctioning as [HashiCorp Vault's Agent Sidecar\nInjector](https://www.vaultproject.io/docs/platform/k8s/injector).\n\nAlso, it provides a convenient CLI tool with features like `list` and `edit` to\nmake secret management easier than using the Cloud Console. If you want to jump\ninto the CLI tool, please refer to the [CLI Tool](#cli-tool) section right away.\n\n## Contents\n- [Supported Cloud Providers](#cloud-providers)\n  - [Current](#current)\n  - [Planned](#planned)\n- [Concept](#concept)\n  - [Constitution](#constitution)\n  - [Step-by-step](#step-by-step)\n- [Installation](#installation)\n  - [Prerequisites](#prerequisites)\n  - [Using Helm chart](#using-helm-chart)\n- [Usage](#usage)\n  - [Annotations](#annotations)\n  - [Providers](#providers)\n  - [CLI Tool](#cli-tool)\n\n## Supported Cloud Providers\n\n### Current\n- AWS(Amazon Web Services): [Secrets Manager](https://aws.amazon.com/secrets-manager/)\n- GCP(Google Cloud Platform): [Secret Manager](https://cloud.google.com/secret-manager) `(BETA)`\n\n### Planned\n- Azure: [Key Vault](https://azure.microsoft.com/services/key-vault/#getting-started)\n- Hashicorp: [Vault](https://www.vaultproject.io)\n\n## Concept\n\n### Constitution\n- `cloud-secrets-controller`\n- `cloud-secrets-injector`\n\n### Step-by-step\n1. `cloud-secrets-controller` watches incoming `/mutate`, `/validate` webhooks\nfrom Kubernetes API server.\n2. When pods are created or updated in a namespace labeled with\n`cloud-secrets-injector: enabled`, Kubernetes API server sends requests to\n`cloud-secrets-controller` webhook server.\n3. `cloud-secrets-controller` mutates the pod's manifests by injecting an init\ncontainer `cloud-secrets-injector` into the pod and mounting a temporary\ndirectory as a volume on the init and origin containers.\n4. When it comes to initializing the pods, the init container\n`cloud-secrets-injector` requests secret values, with a secret key id, from\nsecret providers and stores them in the temporary directory.\n5. Once `cloud-secrets-injector` has successfully completed its role, the origin\ncontainer starts running as defined on the manifest.\n\n## Installation\n\n### Prerequisites\n- Kubernetes Cluster\n- `kubectl`\n- `helm`\n\n### Using Helm chart\n```bash\nkubectl create namespaces cloud-secrets-manager\nhelm repo add h0n9 https://h0n9.github.io/helm-charts\nhelm upgrade --install -n cloud-secrets-manager cloud-secrets-manager h0n9/cloud-secrets-manager\n```\n\nYou can check out the official Helm chart repository\n[h0n9/helm-charts](https://github.com/h0n9/helm-charts).\n\nBy pressing the `⭐️ Star` button above, be the first to get notified of launch\nof other new charts.\n\n## Usage\n\n### Annotations\n\nThe following annotatins are required to inject `cloud-secrets-injector` into\npods:\n\n| **Key**                                                | **Required** | **Description**                    | **Example**                                              |\n|--------------------------------------------------------|--------------|------------------------------------|----------------------------------------------------------|\n| `cloud-secrets-manager.h0n9.postie.chat/provider`      | true         | Cloud Provider Name                | `aws`                                                    |\n| `cloud-secrets-manager.h0n9.postie.chat/secret-id`     | true         | Secret Name                        | `very-precious-secret`                                   |\n| `cloud-secrets-manager.h0n9.postie.chat/template`      | true         | Template for secret value          | ```{{ range $k, $v := . }}{{ $k }}={{ $v }} {{ end }}``` |\n| `cloud-secrets-manager.h0n9.postie.chat/output`        | true         | File path for output               | `/secrets/env`                                           |\n| `cloud-secrets-manager.h0n9.postie.chat/decode-base64` | false        | Decode base64-encoded secret value | `true` or `false`                                        |\n| `cloud-secrets-manager.h0n9.postie.chat/injected`      | false        | Identifier for injection           | `false`                                                  |\n\n#### Annotations for Multiple Secrets Injection\n\nFrom the version `v0.4`, multiple secrets can be injected into pods by defining\nthe annotations as follows:\n\n```yaml\ncloud-secrets-manager.h0n9.postie.chat/provider: aws\ncloud-secrets-manager.h0n9.postie.chat/secret-id: secrets-env\ncloud-secrets-manager.h0n9.postie.chat/output: /secrets/env\ncloud-secrets-manager.h0n9.postie.chat/template: |\n  {{ range $k, $v := . }}export {{ $k }}={{ $v }}\n  {{ end }}\ncloud-secrets-manager.h0n9.postie.chat/provider-config-app: aws\ncloud-secrets-manager.h0n9.postie.chat/secret-id-config-app: secrets-config\ncloud-secrets-manager.h0n9.postie.chat/output-config-app: /config/application.yaml\ncloud-secrets-manager.h0n9.postie.chat/template-config-app: |\n  {{ .application-yaml }}\ncloud-secrets-manager.h0n9.postie.chat/provider-config-secrets: aws\ncloud-secrets-manager.h0n9.postie.chat/secret-id-config-secrets: secrets-config\ncloud-secrets-manager.h0n9.postie.chat/output-config-secrets: /config/secrets.yaml\ncloud-secrets-manager.h0n9.postie.chat/template-config-secrets: |\n  {{ .secrets-yaml }}\n```\n\nJust add `\u003csecret-name\u003e` at the end of each annotation key, like\n`cloud-secrets-manager.h0n9.postie.chat/provider-\u003csecret-name\u003e`. That's it!\n\n#### Annotation for Decoding Base64-encoded Secret Value\n\nFrom the version `v0.6`, you can decode base64-encoded secret values by setting\nthe `cloud-secrets-manager.h0n9.postie.chat/decode-base64` annotation to `true`.\n\n```yaml\ncloud-secrets-manager.h0n9.postie.chat/provider-cert: aws\ncloud-secrets-manager.h0n9.postie.chat/secret-id-cert: very-precious-secret\ncloud-secrets-manager.h0n9.postie.chat/output-cert: /secrets/precious.cer\ncloud-secrets-manager.h0n9.postie.chat/template-cert: |\n  {{ .base64-encoded-precious-cert }}\ncloud-secrets-manager.h0n9.postie.chat/decode-base64-cert: \"true\"\ncloud-secrets-manager.h0n9.postie.chat/provider-key: aws\ncloud-secrets-manager.h0n9.postie.chat/secret-id-key: very-precious-secret\ncloud-secrets-manager.h0n9.postie.chat/output-key: /secrets/precious.key\ncloud-secrets-manager.h0n9.postie.chat/template-key: |\n  {{ .base64-encoded-precious-key }}\ncloud-secrets-manager.h0n9.postie.chat/decode-base64-key: \"true\"\n```\n\nThis feature is useful when you want to inject a base64-encoded secret value as\na file into a pod.\n\n### Providers\n\nSupported providers require the annotations mentioned above in common. However,\nthe authentication method may differ depending on the provider. Please refer the\nfollowing explanation.\n\n- [AWS(Amazon Web Services)](docs/aws.md)\n- [GCP(Google Cloud Platform)](docs/gcp.md)\n\n### CLI Tool\n\n#### Installation\n\nCloud Secrets Manager can be installed via Homebrew:\n\n```bash\n$ brew install h0n9/devops/cloud-secrets-manager\n```\n\nThat's it! You can now use the `cloud-secrets-manager` or `csm` commands.\n\n\u003e For `aws-vault` users, you can use the following command to execute the\n`cloud-secrets-manager` command with the specified AWS profile:\n\n```bash\n$ aws-vault exec \u003cprofile\u003e -- csm \u003ccommand\u003e\n```\n\n#### List Secrets\n\n```bash\n$ csm secrets list --provider aws --limit 3\ndev/hello-world\ndev/very-precious-secret\ndev/another-secret\n```\nThe `--limit` option is available to limit the number of secrets to be listed.\n\n#### Edit Secret\n\n```bash\n$ csm secrets edit --provider aws --secret-id dev/very-precious-secret\n```\n\nA text editor will be opened with the secret value. After editing, save and\nclose the editor to update the secret value. If you want to cancel the editing,\njust close the editor without saving.\n\nIf you want to use a specific editor, set the `EDITOR` environment variable.\n\n```bash\n$ export EDITOR=nano\n$ csm secrets edit --provider aws --secret-id dev/very-precious-secret\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh0n9%2Fcloud-secrets-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fh0n9%2Fcloud-secrets-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh0n9%2Fcloud-secrets-manager/lists"}