https://github.com/pathmotion/aws-secrets-circleci

A circle ci step to load secrets from AWS Secrets Manager and store them into an .env file
https://github.com/pathmotion/aws-secrets-circleci

Last synced: 7 months ago
JSON representation

A circle ci step to load secrets from AWS Secrets Manager and store them into an .env file

• Host: GitHub
• URL: https://github.com/pathmotion/aws-secrets-circleci
• Owner: PathMotion
• Created: 2019-07-16T07:55:41.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2020-04-02T15:09:02.000Z (almost 6 years ago)
• Last Synced: 2025-04-07T20:01:46.531Z (10 months ago)
• Language: Python
• Size: 11.7 KB
• Stars: 4
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Circle CI AWS Secrets Manager connector

## About

This image is made to load AWS Secrets Manager secret value to a file which can be sourced by Circle CI.

It is Python 3 based and uses the Boto library.

## Usage in Docker

```

export KEY_ID=

export ACCESS_KEY=

docker run pathmotion/aws-secrets-circleci \

    --region=eu-west-1 \

    --secret my-secrets-for-circle-ci \

    --output /root/secrets.env

```

This will write a file like this to `/root/secrets.env` (as defined in the command parameters)

```

export FOO="bar"

export HELLO_CI="I am an AWS Secret"

```

This file can be directly sourced on a bash environment.

## Usage in CircleCI

Define the executor and your credentials as environment variables

```yaml

executors:

    docker:

      - image: pathmotion/aws-secrets-circleci:latest

```

Define those commands to load the secrets from AWS and inject it into the env vars of a job

```yaml

commands:

  aws-secrets-load:

    description: Load secrets from an AWS Secrets Manager secret entry

    parameters:

      secret_name:

        type: string

        default: my-secret-from-aws

      aws_region:

        type: string

        default: eu-west-1

      filename:

        type: string

    steps:

      - attach_workspace:

          at: /secrets

      - run:

          command: |

            echo 'export KEY_ID="$AWSSM_KEY_ID"' >> $BASH_ENV

            echo 'export ACCESS_KEY="$AWSSM_ACCESS_KEY"' >> $BASH_ENV

      - run: load-aws-secrets --region << parameters.aws_region >> --secret << parameters.secret_name >> --output /secrets/<< paramters.filename >>

      - persist_to_workspace:

          root: /secrets

          paths:

            - << paramters.filename >>

  

  aws-secrets-source:

    description: Read the AWS secrets manager secrets

    parameters:

      filename:

        type: string

    steps:

      - attach_workspace:

          at: .

      - run: cat ./<< paramters.filename >> >> $BASH_ENV

```

And in your jobs (here for a composer loading for example)

```yaml

 jobs:

  load-secrets:

    executor: aws-secrets

    steps:

      - aws-secrets-load:

          filename: common-secrets.env

  deps-composer:

    executor: composer

    steps:

      - aws-secrets-source:

          filename: common-secrets.env

      - composer-install

```