https://github.com/javiermarasco/harpo
A powerfull CLI to seamlessly manage secrets in Azure, AWS and GCP from a single command line.
https://github.com/javiermarasco/harpo
aws azure gcp
Last synced: 6 months ago
JSON representation
A powerfull CLI to seamlessly manage secrets in Azure, AWS and GCP from a single command line.
- Host: GitHub
- URL: https://github.com/javiermarasco/harpo
- Owner: javiermarasco
- License: gpl-3.0
- Created: 2022-03-02T09:40:39.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2023-02-01T10:31:30.000Z (over 3 years ago)
- Last Synced: 2024-06-19T16:46:33.974Z (about 2 years ago)
- Topics: aws, azure, gcp
- Language: Go
- Homepage:
- Size: 113 KB
- Stars: 3
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Harpo (short for harpocrates)
The objective of this cli is to be able to manage secrets in Azure, AWS and GCP by using a path to
specify where a secret is stored in a "folder structure" approach while providing an easy way to list
secrets in this folder structure and also an easy way to retrieve the values of those secrets.
# How to build it
To build this project you will need Go 1.17 and run the following commands
```
go build
```
That will create a file called `harpo.exe` in Windows and `harpo` in Linux
# How to use
The syntax of the commands is the same for all cloud providers, just keep in mind the order of the parameters is important (currently is not possible to exchange the order of the parameters.)
## Environment variables setup
You need to define some environment variables in order to use `harpo`, those depend on the cloud provider and you can have more than one cloud provider setup at the same time (specially if you want to copy or migrate from one cloud to another this is mandatory). Once your have this variables defined you can start using the CLI.
### Azure
- "AZ_CLIENTID" (Contains the client id of the service princial/app registration used to access your keyvault)
- "AZ_CLIENTSECRET" (Contains the secret of the service principal/app registration)
- "AZ_TENANTID" (Contains the Tenant ID where your keyvault is deployed)
- "AZ_KVNAME" (Contains the name of the keyvault to use)
### AWS
- "AWS_ACCESS_KEY_ID" (Contains the key ID of the user that will be used to access Secrets Manager)
- "AWS_SECRET_ACCESS_KEY" (The access key of the user that will be used to access the Secrets Manager)
- "AWS_REGION" (The region where the Secrets Manager instance is defined)
### GCP
- "GOOGLE_APPLICATION_CREDENTIALS" (Contains the path to the json file with the credentials for your google cloud account)
- "GCP_parent" (Contains the reference to the parent of the secrets in the format 'projects/parentid')
For AWS the following permissions are needed:
- secretsmanager:Name
- secretsmanager:Description
- secretsmanager:KmsKeyId
- aws:RequestTag/${TagKey}
- aws:ResourceTag/${TagKey}
- aws:TagKeys
- secretsmanager:ResourceTag/tag-key
- secretsmanager:AddReplicaRegions
- secretsmanager:ForceOverwriteReplicaSecret
- resourcetypes: Secret*
- secretsmanager:TagResource
- secretsmanager:UntagResource
## Path specification
The path is a logical/human understandable approach to remember where the secrets are stored, the path can be any of the following formats:
- /some/words/to/define
- some/words/to/path
- /a/path/somewhere/
- a/path/to/some/secret
- Any "/" at the beginning or end of the path will be removed
## Write secrets
This command will write a secret into the secret store using the path specified and the name and value.
harpo -write -path -name -value
- cloud_provider: Could be "az" for Azure or "aws" for AWS
- path: This is the path where the secret will be stored, it can start or end with a "/"
examples:
- /infra/dev
- /infra/dev/
- infra/dev
- secret_name: This is the name the secret will have, it can be any alphanumeric with a maximum of 20
examples:
- servername
- serverport
- connectionstring
- secret_value: Will contain the value you want to store for this secret
examples:
- myserver.com
- 8080
- database1.server.com:4333
### Read secrets (Human readable)
This command will look for the secret with in the path and will output the value in a human readable format.
This is useful when you are looking for a value in the secret store. For automations check the "Export" command.
harpo -read -path -name
- cloud_provider: Could be "az" for Azure or "aws" for AWS
- path: This is the path where the secret will be stored, it can start or end with a "/"
examples:
- /infra/dev
- /infra/dev/
- infra/dev
- secret_name: This is the name the secret will have, it can be any alphanumeric with a maximum of 20
examples:
- servername
- serverport
- connectionstring
Example output:
```
harpo read -path /infra/dev -name serverport
The value of the secret is: 443
```
### Export secrets (Automation)
This command will output the value of a found in the path and will output the value without formatting.
This is the best option for automation.
harpo -export -path -name
- cloud_provider: Could be "az" for Azure or "aws" for AWS
- path: This is the path where the secret will be stored, it can start or end with a "/"
examples:
- /infra/dev
- /infra/dev/
- infra/dev
- secret_name: This is the name the secret will have, it can be any alphanumeric with a maximum of 20
examples:
- servername
- serverport
- connectionstring
Example output:
```
harpo export -path /infra/dev -name serverport
443
```
### List secrets
This command is useful to look for a secret in a path when you don't know the secrets stored in a particular path.
harpo -list -path
- cloud_provider: Could be "az" for Azure or "aws" for AWS
- path: This is the path where the secret will be stored, it can start or end with a "/"
examples:
- /infra/dev
- /infra/dev/
- infra/dev
Example output:
```
harpo list -path /infra/dev
The path for the secret is: infra/dev/serverport
The path for the secret is: infra/dev/servername
```
### Delete secrets
This command will delete a secret from a cloud provider, `there is no confirmation requested`. Keep in mind each cloud provider has a retention policy configuration, by default when you delete a secret they stay "hidden" for certain time which makes the creation of another secret with the same name impossible until that grace period is expired, please check your cloud provider documentation for more information.
harpo delete -path -name
- cloud_provider: Could be "az" for Azure or "aws" for AWS
- path: This is the path where the secret will be stored, it can start or end with a "/"
examples:
- /infra/dev
- /infra/dev/
- infra/dev
- secret_name: This is the name the secret will have, it can be any alphanumeric with a maximum of 20
examples:
- servername
- serverport
- connectionstring
Example output:
```
harpo az delete -path /infra/demo -name servername
Deleteing secret from Azure Key Vault
Successfully deleted secret from Azure Keyvault
```
### Copy secrets
This command will copy a secret from one cloud provider to another one, is only possible to copy from one cloud provider to another.
harpo copy -path -name -destination
- cloud_provider: Could be "az" for Azure or "aws" for AWS
- path: This is the path where the secret will be stored, it can start or end with a "/"
examples:
- /infra/dev
- /infra/dev/
- infra/dev
- secret_name: This is the name the secret will have, it can be any alphanumeric with a maximum of 20
examples:
- servername
- serverport
- connectionstring
Example output:
```
harpo aws copy -path /infra/dev/servers/internal/sql/primary/ -name sqlconnectionstring -destination az
Copying secret from AWS to AZ
```
### Migrate secrets
This command will copy the secret from one cloud provider to another and then delete the origin one thus moving the secret.
harpo migrate -path -name -destination
- cloud_provider: Could be "az" for Azure or "aws" for AWS
- path: This is the path where the secret will be stored, it can start or end with a "/"
examples:
- /infra/dev
- /infra/dev/
- infra/dev
- secret_name: This is the name the secret will have, it can be any alphanumeric with a maximum of 20
examples:
- servername
- serverport
- connectionstring
Example output:
```
harpo aws migrate -path /infra/dev/servers/internal/sql/primary/ -name sqlconnectionstring -destination az
Migrating secret from AWS to AZ
```