{"id":18419802,"url":"https://github.com/telia-oss/sidecred","last_synced_at":"2025-04-07T13:31:48.222Z","repository":{"id":44901028,"uuid":"236380797","full_name":"telia-oss/sidecred","owner":"telia-oss","description":"Automated lifecycle management for credentials","archived":false,"fork":false,"pushed_at":"2023-10-11T22:11:33.000Z","size":439,"stargazers_count":14,"open_issues_count":13,"forks_count":10,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-22T19:12:10.176Z","etag":null,"topics":["artifactory","aws","credentials","github","secrets"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/telia-oss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-26T21:47:01.000Z","updated_at":"2024-01-05T05:36:29.000Z","dependencies_parsed_at":"2024-06-19T01:39:23.281Z","dependency_job_id":"f131735b-9b76-492d-8b87-c3a9226c975c","html_url":"https://github.com/telia-oss/sidecred","commit_stats":null,"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fsidecred","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fsidecred/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fsidecred/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fsidecred/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/telia-oss","download_url":"https://codeload.github.com/telia-oss/sidecred/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247661788,"owners_count":20975117,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifactory","aws","credentials","github","secrets"],"created_at":"2024-11-06T04:18:27.181Z","updated_at":"2025-04-07T13:31:46.190Z","avatar_url":"https://github.com/telia-oss.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sidecred\n\n[![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go\u0026logoColor=white\u0026style=flat-square)](https://pkg.go.dev/github.com/telia-oss/sidecred)\n[![latest release](https://img.shields.io/github/v/release/telia-oss/sidecred?style=flat-square)](https://github.com/telia-oss/sidecred/releases/latest)\n[![test](https://github.com/telia-oss/sidecred/actions/workflows/test.yml/badge.svg)](https://github.com/telia-oss/sidecred/actions/workflows/test.yml)\n[![go report](https://goreportcard.com/badge/github.com/telia-oss/sidecred?style=flat-square)](https://goreportcard.com/report/github.com/telia-oss/sidecred)\n\nSidecred handles the lifecycle of your credentials \"on the side\". It supports multiple credential providers and secret\nstores,\nand handles the lifecycle from creation, to rotations and eventual deletion.\n\n## Why?\n\nSecurity and convenience. E.g. our CI/CD requires AWS credentials in order to deploy terraform templates, and instead of\nusing static credentials tied to one or more IAM users, we can use Sidecred to create and rotate a temporary set of\ncredentials\nthat are tied to an IAM role and written to a secret store where it can be accessed by our CI/CD. Likewise we can use\nSidecred\nto provision and rotate temporary access tokens tied to a [Github App](https://developer.github.com/apps/) instead of\nusing\nmachine users to create personal access tokens (PAC) that are not automatically rotated.\n\n## Installation\n\nYou can install `sidecred` by downloading it from the [releases](https://github.com/telia-oss/sidecred/releases), or you\ncan easily deploy to AWS using the following terraform template: https://github.com/telia-oss/terraform-aws-sidecred.\n\n## Usage\n\nSee `sidecred --help` for supported flags. Flags can also be set via the environment after prefixing the flag name with\n`SIDECRED_`. E.g. `--sts-provider-enabled` can be set with `SIDECRED_STS_PROVIDER_ENABLED=true`.\n\n## Configuration\n\n```yaml\n---\nversion: 1\n\nnamespace: cloudops\n\nstores:\n  - type: secretsmanager\n  - type: github\n    config:\n      repository: telia-oss/sidecred\n      secret_template: \"{{ .Namespace }}_{{ .Name }}\"\n  - type: github:dependabot\n    config:\n      repository: telia-oss/sidecred\n      secret_template: \"{{ .Namespace }}_{{ .Name }}\"\n\nrequests:\n  - store: github\n    creds:\n      - type: aws:sts\n        name: open-source-dev-read-only\n        config:\n          role_arn: arn:aws:iam::role/role-name\n          duration: 15m\n  - store: github:dependabot\n    creds:\n      - type: aws:sts\n        name: open-source-dev-read-only\n        config:\n          role_arn: arn:aws:iam::role/role-name\n          duration: 15m          \n  - store: secretsmanager\n    creds:\n      - type: github:access-token\n        list:\n          - name: itsdalmo-access-token\n            config: { owner: itsdalmo }\n          - name: telia-oss-access-token\n            config: { owner: telia-oss }\n```\n\nAs shown above, Sidecred expects a YAML configuration that contains the following elements:\n\n- `namespace`: A namespace (e.g. the name of a team, project or similar) to use when processing the credential requests.\n  Replaces `{{ .Namespace }}` in secret templates and resource names.\n- `stores`: One or more secret stores to use for writing the requested credentials. You can `name:` stores for\n  readability,\n  or to de-dupe store types.\n- `requests`: A list of credential requests that map `creds:` to a `store:`. Each credential request under `creds:`\n  should\n  specify a credential `type:` and unique `name:` for the credentials, and optionally a `config:` which is passed to the\n  credential provider.\n\nSee below for a list of supported secret stores and credential providers.\n\n## Supported secret stores\n\nSecret stores are used to store credentials generated by providers. The following credential stores are supported:\n\n* [Inprocess](./store/inprocess/README.md) (`inprocess`)\n* [AWS Secrets Manager](./store/secretsmanager/README.md) (`secretsmanager`)\n* [AWS SSM Parameter store](./store/ssm/README.md) (`ssm`)\n* [Github Repository Secrets](./store/github/README.md) (`github`)\n\n## Supported providers\n\nProviders are used to generate/provide credentials (see the provider documentation for details):\n\n* [Github](./provider/github/README.md) (`github`)\n* [AWS](./provider/sts/README.md) (`aws`)\n* [Random](./provider/random/README.md) (`random`)\n* [Artifactory](./provider/artifactory/README.md) (`artifactory`)\n\n## Supported backends\n\nSidecred keeps an internal state to track credential expiration and to perform cleanup for external resources when they\nare no longer needed. Backends are used to store this internal state, and Sidecred currently supports the following\nbackends:\n\n* File\n* AWS S3\n\n# Development\n\n### Local\n\n```bash\n# Enable the STS provider\nexport AWS_REGION=eu-west-1\nexport SIDECRED_STS_PROVIDER_ENABLED=true\nexport SIDECRED_STS_PROVIDER_SESSION_DURATION=20m\n\n# Enable the Github provider\nexport SIDECRED_GITHUB_PROVIDER_ENABLED=true\nexport SIDECRED_GITHUB_PROVIDER_KEY_ROTATION_INTERVAL=20m\nexport SIDECRED_GITHUB_PROVIDER_INTEGRATION_ID=\"\u003cvalue\u003e\"\nexport SIDECRED_GITHUB_PROVIDER_PRIVATE_KEY=\"\u003cvalue\u003e\"\n\n# Chose a secret store and configure it\nexport SIDECRED_SSM_STORE_ENABLED=true\nexport SIDECRED_SSM_STORE_PATH_TEMPLATE=\"/sidecred/{{ .Namespace }}/{{ .Name }}\"\n\n# Chose a state backend and configure it\nexport SIDECRED_STATE_BACKEND=file\n\n# Enable debug logging\nexport SIDECRED_DEBUG=true\n```\n\nAfter setting the above you can execute `sidecred` as follows:\n\n```bash\n# The Github App credentials (integration ID and private key) and AWS STS credentials\n# should be populated using e.g. vaulted or aws-vault:\ngo run ./cmd/sidecred --config ./cmd/sidecred/testdata/config.yml\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Fsidecred","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftelia-oss%2Fsidecred","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Fsidecred/lists"}