{"id":16965253,"url":"https://github.com/s12v/exec-with-secrets","last_synced_at":"2025-03-22T14:31:02.212Z","repository":{"id":37962165,"uuid":"161030925","full_name":"s12v/exec-with-secrets","owner":"s12v","description":"Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault","archived":false,"fork":false,"pushed_at":"2023-03-13T14:58:02.000Z","size":68,"stargazers_count":54,"open_issues_count":7,"forks_count":10,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-18T12:01:40.039Z","etag":null,"topics":["azure-key-vault","docker","kms","secrets-manager","ssm"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s12v.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-09T11:11:24.000Z","updated_at":"2024-02-10T03:19:42.000Z","dependencies_parsed_at":"2024-06-20T09:27:57.821Z","dependency_job_id":"64d794a1-37bb-408a-9d9e-3988a06c3350","html_url":"https://github.com/s12v/exec-with-secrets","commit_stats":null,"previous_names":["s12v/secure-exec"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s12v%2Fexec-with-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s12v%2Fexec-with-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s12v%2Fexec-with-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s12v%2Fexec-with-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s12v","download_url":"https://codeload.github.com/s12v/exec-with-secrets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244971792,"owners_count":20540858,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure-key-vault","docker","kms","secrets-manager","ssm"],"created_at":"2024-10-13T23:45:29.388Z","updated_at":"2025-03-22T14:31:01.816Z","avatar_url":"https://github.com/s12v.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.com/s12v/exec-with-secrets.svg?branch=master)](https://travis-ci.com/s12v/exec-with-secrets)\n[![codecov](https://codecov.io/gh/s12v/exec-with-secrets/branch/master/graph/badge.svg)](https://codecov.io/gh/s12v/exec-with-secrets)\n\n# Inject secrets from AWS KMS/SSM/Secrets Manager and Azure Key Vault into your app environment\n\n`exec-with-secrets` supports the following services as secrets providers:\n - [AWS Key Management (KMS)](https://aws.amazon.com/kms/)\n - [AWS Systems Manager Parameter Store (SSM)](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html)\n - [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)\n - [Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)\n\nThis utility looks for prefixed variables in environment and replaces them with secret values:\n - `{aws-kms}AQICAHjA3mwbmf...` - decrypts the value using AWS KMS\n - `{aws-ssm}/app/param` - loads parameter `/app/param` from AWS Systems Manager Parameter Store\n - `{aws-sm}/app/param` - loads secret `/app/param` from AWS Secrets Manager\n - `{aws-sm}/app/param[prop1]` - loads secret `/app/param` from AWS Secrets Manager and takes `prop1` property\n - `{az-kv}vault/name` - loads secret `name` from Azure Key Vault `vault`\n \nAfter decrypting secrets it runs [`exec`](https://en.wikipedia.org/wiki/Exec_(system_call)) system call, replacing itself with your app.\nThe app can simply access decrypted secrets in the environment.\n\nBasic example:\n```\nSECRET=\"{aws-ssm}/my/secret\" exec-with-secrets myapp # SECRET value is in myapp environment\n```\n\n## Docker example\n\nBuild the example Docker image:\n\n```\nmake docker\n```\n\nRun:\n```\ndocker run -e PARAM=\"text\" -e KMS_PARAM=\"{aws-kms}c2VjcmV0\" exec-with-secrets-example echo $KMS_PARAM\n```\n\nYou need to put a real KMS-encrypted value and pass AWS credentials to the container. \n\n - `KMS_PARAM` will be decrypted and passed to `echo` as an environment variable\n - `PARAM` will be passed without modifications\n\nYou can adapt [Dockerfile](Dockerfile) for your use-case. Use `exec-with-secrets` just like the regular `exec`. For example, run a Java application with:\n```\nCMD exec-with-secrets java -jar myapp.jar\n```\n**Note that the decrypted secrets are only visible to your application. `docker inspect` will show encrypted values**\n\n## Secret provider access\n\nYour container should have appropriate permissions to the secrets provider.\n\n - The default AWS credentials chain is used\n - Azure authorizer from environment variables/MSI\n - Azure authorizer from configuration file, if the file is set using `AZURE_AUTH_LOCATION` variable\n\n## Build\n\n`make` builds Linux and Mac binaries with all providers.\n\n### Choose providers\n\nTo chose providers (for example only AWS SSM), run:\n```\nmake TAGS=awsssm\n```\n\n## Adding a new provider\n\nSee example PR: https://github.com/s12v/exec-with-secrets/pull/1\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs12v%2Fexec-with-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs12v%2Fexec-with-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs12v%2Fexec-with-secrets/lists"}