{"id":3832,"url":"https://github.com/tellerops/teller","last_synced_at":"2025-05-14T03:06:20.453Z","repository":{"id":37395114,"uuid":"351043495","full_name":"tellerops/teller","owner":"tellerops","description":"Cloud native secrets management for developers - never leave your command line for secrets.","archived":false,"fork":false,"pushed_at":"2024-07-30T08:41:59.000Z","size":10923,"stargazers_count":2880,"open_issues_count":46,"forks_count":187,"subscribers_count":30,"default_branch":"master","last_synced_at":"2024-10-29T15:02:29.318Z","etag":null,"topics":["aws","hashicorp","rust","rust-lang","secret-management","secrets","vault"],"latest_commit_sha":null,"homepage":"https://github.com/tellerops/teller","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tellerops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-24T10:49:44.000Z","updated_at":"2024-10-28T21:05:21.000Z","dependencies_parsed_at":"2024-01-24T07:43:15.888Z","dependency_job_id":"7d4262bf-5384-4cdd-a3c8-5644cb374182","html_url":"https://github.com/tellerops/teller","commit_stats":null,"previous_names":["spectralops/teller"],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tellerops%2Fteller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tellerops%2Fteller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tellerops%2Fteller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tellerops%2Fteller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tellerops","download_url":"https://codeload.github.com/tellerops/teller/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247962594,"owners_count":21024870,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","hashicorp","rust","rust-lang","secret-management","secrets","vault"],"created_at":"2024-01-05T20:16:52.818Z","updated_at":"2025-04-09T02:12:51.052Z","avatar_url":"https://github.com/tellerops.png","language":"Rust","readme":"\u003cp align=\"center\"\u003e\n\u003cbr/\u003e\n\u003cbr/\u003e\n\u003cbr/\u003e\n   \u003cimg src=\"media/teller-logo.png\" width=\"288\"/\u003e\n\u003cbr/\u003e\n\u003cbr/\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\u003cb\u003e:computer: Never leave your terminal for secrets\u003c/b\u003e\n\u003cbr/\u003e\n\u003cb\u003e:pager: Create easy and clean workflows for working with cloud environments\u003c/b\u003e\n\u003cbr/\u003e\n\u003cb\u003e:mag_right: Scan for secrets and fight secret sprawl\u003c/b\u003e\n\u003chr/\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://github.com/tellerops/teller/actions/workflows/build.yml/badge.svg\"/\u003e\n\n\u003c/p\u003e\n\n# Teller - the open-source universal secret manager for developers\n\nNever leave your terminal to use secrets while developing, testing, and building your apps.\n\nInstead of custom scripts, tokens in your `.zshrc` files, visible `EXPORT`s in your bash history, misplaced `.env.production` files and more around your workstation -- just use `teller` and connect it to any vault, key store, or cloud service you like (Teller support Hashicorp Vault, AWS Secrets Manager, Google Secret Manager, and many more).\n\nYou can use Teller to tidy your own environment or for your team as a process and best practice.\n\n![](media/providers.png)\n\n## Quick Start with `teller`\n\n**Download a binary**\nGrab a binary from [releases](https://github.com/tellerops/teller/releases)\n\n**Build from source**\nUsing this method will allow you to eye-ball the source code, review it, and build a copy yourself.\n\nThis will install the binary locally on your machine:\n\n```bash\n$ cd teller-cli\n$ cargo install --path .\n```\n\n**Create a new configuration**\n\n```\n$ teller new\n? Select your secret providers ›\n⬚ hashicorp_consul\n⬚ aws_secretsmanager\n⬚ ssm\n⬚ dotenv\n⬚ hashicorp\n⬚ google_secretmanager\n```\n\nThen, edit the newly created `.teller.yml` to set the maps and keys that you need for your providers.\n\n## A look at `teller.yml`\nThe teller YAML describes your providers and within each provider a `map` that describes:\n\n* What is the root path to fetch key-values from\n* For each such map, its unique `id` which will serve you for operations later\n* For each map, an optional specific key name mapping - you can rename keys that you will fetch from the source provider\n\nHere's an example configuration file. Note that it also include templating constructs -- such as fetching environment variables while loading the configuration:\n\n```yaml\nproviders:\n  hashi_1:\n    kind: hashicorp\n    maps:\n      - id: test-load\n        path: /{{ get_env(name=\"TEST_LOAD_1\", default=\"test\") }}/users/user1\n        # if empty, map everything\n        # == means map to same key name\n        # otherwise key on left becomes right\n        # in the future: key_transform: camelize, snake_case for automapping the keys\n        keys:\n          GITHUB_TOKEN: ==\n          mg: FOO_BAR\n  dot_1:\n    kind: dotenv\n    maps:\n      - id: stg\n        path: VAR_{{ get_env(name=\"STAGE\", default=\"development\") }}\n\n```\n\nYou can now address these providers as `hashi_1` or `dot_1`. Teller pulls the specified data from all providers by default.\n\n\n# Features\n\n## :running: Running subprocesses\n\nManually exporting and setting up environment variables for running a process with demo-like / production-like set up?\n\nGot bitten by using `.env.production` and exposing it in the local project itself?\n\nUsing `teller` and a `.teller.yml` file that exposes nothing to the prying eyes, you can work fluently and seamlessly with zero risk, also no need for quotes:\n\n```\n$ teller run --reset --shell -- node index.js\n```\n\n## :mag_right: Inspecting variables\n\nThis will output the current variables `teller` picks up. Only first 2 letters will be shown from each, of course.\n\n```\n$ teller show\n```\n\n## :tv: Local shell population\n\nHardcoding secrets into your shell scripts and dotfiles?\n\nIn some cases it makes sense to eval variables into your current shell. For example in your `.zshrc` it makes much more sense to use `teller`, and not hardcode all those into the `.zshrc` file itself.\n\nIn this case, this is what you should add:\n\n```\neval \"$(teller sh)\"\n```\n\n## :whale: Easy Docker environment\n\nTired of grabbing all kinds of variables, setting those up, and worried about these appearing in your shell history as well?\n\nUse this one liner from now on:\n\n```\n$ docker run --rm -it --env-file \u003c(teller env) alpine sh\n```\n\n## :warning: Scan for secrets\n\nTeller can help you fight secret sprawl and hard coded secrets, as well as be the best productivity tool for working with your vault.\n\nIt can also integrate into your CI and serve as a shift-left security tool for your DevSecOps pipeline.\n\nLook for your vault-kept secrets in your code by running:\n\n```bash\n$ teller scan\n```\n\nYou can run it as a linter in your CI like so:\n\n```yaml\nrun: teller scan --error-if-found\n```\n\nIt will break your build if it finds something (returns exit code `1`).\n\nYou can also export results as JSON with `--json` and scan binary files with `-b`.\n\n## :recycle: Redact secrets from process outputs, logs, and files\n\nYou can use `teller` as a redaction tool across your infrastructure, and run processes while redacting their output as well as clean up logs and live tails of logs.\n\nPipe any process output, tail or logs into teller to redact those, live:\n\n```\n$ cat some.log | teller redact\n```\n\nIt should also work with `tail -f`:\n\n```\n$ tail -f /var/log/apache.log | teller redact\n```\n\nFinally, if you've got some files you want to redact, you can do that too:\n\n```bash\n$ teller redact --in dirty.csv --out clean.csv\n```\n\nIf you omit `--in` Teller will take `stdin`, and if you omit `--out` Teller will output to `stdout`.\n\n\n## :scroll: Populate templates\n\nYou can populate custom templates:\n\n```bash\n$ teller template --in config-templ.t\n```\n\nTemplate format is [Tera](https://keats.github.io/tera) which is very similar to liquid or handlebars.\n\nHere is an example template:\n\n```yaml\nproduction_var: {{ key(name=\"PRINT_NAME\")}}\nproduction_mood: {{ key(name=\"PRINT_MOOD\")}}\n```\n\n## :arrows_counterclockwise: Copy/sync data between providers\n\nIn cases where you want to sync between providers, you can do that with `teller copy`.\n\n**Specific mapping key sync**\n\nYou can use the `\u003cprovider name\u003e/\u003cmap id\u003e` format to copy a mapping from a provider to another provider:\n\n```bash\n$ teller copy --from source/dev --to target/prod,\u003c...\u003e\n```\n\nIn this simplistic example, we use the following configuration file\n\n```yaml\nproviders:\n  dot1:\n    kind: dotenv\n    maps:\n      - id: one\n        path: one.env\n  dot2:\n    kind: dotenv\n    maps:\n      - id: two\n        path: two.env\n```\n\nThis will:\n\n1. Grab all mapped values from source mapping\n2. For each target provider, find the matching mapping, and copy the values from source into it\n\n\nBy default copying will **update** target mapping (upsert data), if you want to replace you can use `--replace`.\n\n## :bike: Write and multi-write to providers\n\nTeller providers supporting _write_ use cases which allow writing values _into_ providers.\n\nRemember, for this feature it still revolves around definitions in your `teller.yml` file:\n\n```bash\n$ teller put --providers new --map-id one NEW_VAR=s33kret\n```\n\nIn this example, this configuration is being used:\n\n```yaml\nproviders:\n  new:\n    kind: dotenv\n    maps:\n      - id: one\n        path: new.env\n```\n\nA few notes:\n\n- Values are key-value pair in the format: `key=value` and you can specify multiple pairs at once\n- When you're specifying a literal sensitive value, make sure to use an ENV variable so that nothing sensitive is recorded in your history\n- The flag `--providers` lets you push to one or more providers at once\n\n## :x: Delete and multi-delete from providers\n\nTeller providers support _deleting_ values _from_ providers.\n\n```bash\n$ teller delete --providers new --map-id one DELETE_ME\n```\n\nA few notes:\n\n- You can specify multiple keys to delete, for example:\n- The flag `--providers` lets you push to one or more providers at once\n\n\n## `YAML` Export in YAML format\n\nXXX TODO: rewrite how the command export works\n\nYou can export in a YAML format, suitable for [GCloud](https://cloud.google.com/functions/docs/env-var):\n\n```\n$ teller export yaml\n```\n\nExample format:\n\n```yaml\nFOO: \"1\"\nKEY: VALUE\n```\n\n## `JSON` Export in JSON format\n\n\nYou can export in a JSON format, suitable for piping through `jq` or other workflows:\n\n```\n$ teller export json\n```\n\nExample format:\n\n```json\n{\n  \"FOO\": \"1\"\n}\n```\n\n# Providers\n\nYou can get a list of the providers and their described configuration values [in the documentation](https://docs.rs/teller-providers/latest/teller_providers/providers/index.html).\n\n### Testing check list:\n\n* [ ] **docker on windows**: if you have a container based test that uses Docker, make sure to exclude it on Windows using `#[cfg(not(windows))]`\n\n* [ ] **resource semantics**: while building providers, align with the semantics of _empty_ and _not found_ as two different semantics: if a provider supports an explicit \"not found\" semantic (404, NotFound, etc.), use `Error::NotFound`. Otherwise when a provider signals a \"not found\" semantic as an empty data bag, return an empty `KV[]` (i.e. do not translate a sematic of \"empty\" into \"not found\").\n\n### Testing\n\nTesting is done with:\n\n```\n$ cargo test --all --all-features\n```\n\nAnd requires Docker (or equivalent) on your machine.\n\n### Thanks:\n\nTo all [Contributors](https://github.com/spectralops/teller/graphs/contributors) - you make this happen, thanks!\n\n### Code of conduct\n\nTeller follows [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)\n\n# Copyright\n\nCopyright (c) 2024 [@jondot](http://twitter.com/jondot). See [LICENSE](LICENSE.txt) for further details.\n","funding_links":[],"categories":["Sponsors","Rust","Secrets management","aws","\u003ca name=\"password-manager\"\u003e\u003c/a\u003ePassword managers","Secret Management"],"sub_categories":["_Never leave your command line for secrets_","Regex"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftellerops%2Fteller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftellerops%2Fteller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftellerops%2Fteller/lists"}