{"id":18419829,"url":"https://github.com/telia-oss/aws-env","last_synced_at":"2025-04-07T13:31:48.458Z","repository":{"id":40450885,"uuid":"141255485","full_name":"telia-oss/aws-env","owner":"telia-oss","description":"Securely populate environment variables using KMS/SSM/Secrets manager on AWS.","archived":false,"fork":false,"pushed_at":"2022-05-07T20:00:23.000Z","size":756,"stargazers_count":80,"open_issues_count":4,"forks_count":15,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-22T19:12:11.417Z","etag":null,"topics":["aws","aws-kms","aws-secrets-manager","aws-ssm"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/telia-oss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null}},"created_at":"2018-07-17T08:17:06.000Z","updated_at":"2024-12-19T16:56:21.000Z","dependencies_parsed_at":"2022-08-09T20:51:06.348Z","dependency_job_id":null,"html_url":"https://github.com/telia-oss/aws-env","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Faws-env","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Faws-env/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Faws-env/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Faws-env/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/telia-oss","download_url":"https://codeload.github.com/telia-oss/aws-env/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247661793,"owners_count":20975118,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-kms","aws-secrets-manager","aws-ssm"],"created_at":"2024-11-06T04:18:37.206Z","updated_at":"2025-04-07T13:31:46.791Z","avatar_url":"https://github.com/telia-oss.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"## aws-env\n\n[![build status](https://img.shields.io/github/workflow/status/telia-oss/aws-env/test?label=build\u0026logo=github\u0026style=flat-square)](https://github.com/telia-oss/aws-env/actions?query=workflow%3Atest)\n\nA small library and binary for securely handling secrets in environment variables on AWS. Supports KMS, SSM Parameter store and secrets manager. Inspired by [ssm-env](https://github.com/remind101/ssm-env).\n\n## Usage\n\nBoth the library and binary versions of `aws-env` will loop through the environment and exchange any variables prefixed with\n`sm://`, `ssm://` and `kms://` with their secret value from Secrets manager, SSM Parameter store or KMS respectively. In order\nfor this to work, the instance profile (EC2), task role (ECS), or execution role (Lambda) must have the correct privileges in order\nto retrive the secret values and/or decrypt the secret using KMS.\n\nFor instance:\n- `export SECRETSMANAGER=sm://\u003cpath\u003e`\n- `export PARAMETERSTORE=ssm://\u003cpath\u003e`\n- `export KMSENCRYPTED=kms://\u003cencrypted-secret\u003e`\n- `export MULTIVALUE=sm://\u003cpath\u003e#\u003ckey\u003e` (if the secret itself contains JSON).\n\nWhere `\u003cpath\u003e` is the name of the secret in secrets manager or parameter store. `aws-env` will look up secrets in the region specified\nin the `AWS_REGION` or `AWS_DEFAULT_REGION` environment variables, and if they are both unset/empty it will contact the EC2 Metadata endpoint \n(if possible) and use the region where it is deployed.\n\nRequired IAM privileges:\n- Secrets manager: `secretsmanager:GetSecretValue` on the resource. And `kms:Decrypt` if not using the `aws/secretsmanager` key alias.\n- SSM Parameter store: `ssm:GetParameter` on the resource. `kms:Decrypt` on the KMS key used to encrypt the secret.\n- KMS: `kms:Decrypt` on the key used to encrypt the secret.\n\n#### Binary\n\nInstall using [homebrew](https://brew.sh/):\n\n```bash\nbrew install telia-oss/tap/aws-env\n```\n\nOr grab binary from the [releases](https://github.com/telia-oss/aws-env/releases), and start your process with:\n\n```bash\naws-env exec -- \u003ccommand\u003e\n```\n\nThis will populate all the secrets in the environment, and hand over the process to your `\u003ccommand\u003e` with the same PID. The\npopulated secrets are only made available to the `\u003ccommand\u003e` and 'disappear' when the process exits.\n\n#### Library\n\nImport the library and invoke it prior to parsing flags or reading environment variables:\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/aws/aws-sdk-go/aws/session\"\n\tenvironment \"github.com/telia-oss/aws-env\"\n)\n\nfunc main() {\n\t// New AWS Session\n\tsess, err := session.NewSession()\n\tif err != nil {\n\t\tpanic(fmt.Errorf(\"failed to create new aws session: %s\", err))\n\t}\n\n\t// Populate secrets using aws-env\n\tenv, err := environment.New(sess)\n\tif err != nil {\n\t\tpanic(fmt.Errorf(\"failed to initialize aws-env: %s\", err))\n\t}\n\tif err := env.Populate(); err != nil {\n\t\tpanic(fmt.Errorf(\"failed to populate environment: %s\", err))\n\t}\n}\n```\n\n## Security\n\nThere are a couple of things to keep in mind when using `aws-env`:\n- Spawned processes will inherit their parents environment by default. If your `\u003ccommand\u003e` spawns new processes they will inherit the environment _with the secrets already populated_, unless you hand-roll the environment for the new process.\n- The environment for a running process can be read by the root user (and yourself) _after secrets have been populated_ by running `cat /proc/\u003cpid\u003e/environ` on Linux, and `ps eww \u003cpid\u003e` on OSX. However, if root or the spawning user is compromised a malicious user can just as easily fetch the secrets directly from the AWS API ¯\\\\_(ツ)_/¯\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Faws-env","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftelia-oss%2Faws-env","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Faws-env/lists"}