Inject secrets from AWS KMS/SSM/Secrets Manager and Azure Key Vault into your app environment

exec-with-secrets supports the following services as secrets providers:

This utility looks for prefixed variables in environment and replaces them with secret values:

{aws-kms}AQICAHjA3mwbmf... - decrypts the value using AWS KMS
{aws-ssm}/app/param - loads parameter /app/param from AWS Systems Manager Parameter Store
{aws-sm}/app/param - loads secret /app/param from AWS Secrets Manager
{aws-sm}/app/param[prop1] - loads secret /app/param from AWS Secrets Manager and takes prop1 property
{az-kv}vault/name - loads secret name from Azure Key Vault vault

After decrypting secrets it runs exec system call, replacing itself with your app. The app can simply access decrypted secrets in the environment.

Basic example:

SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment

Docker example

Build the example Docker image:

make docker

Run:

docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM

You need to put a real KMS-encrypted value and pass AWS credentials to the container.

You can adapt Dockerfile for your use-case. Use exec-with-secrets just like the regular exec. For example, run a Java application with:

CMD exec-with-secrets java -jar myapp.jar

Note that the decrypted secrets are only visible to your application. docker inspect will show encrypted values

Your container should have appropriate permissions to the secrets provider.

The default AWS credentials chain is used
Azure authorizer from environment variables/MSI
Azure authorizer from configuration file, if the file is set using AZURE_AUTH_LOCATION variable

make builds Linux and Mac binaries with all providers.

To chose providers (for example only AWS SSM), run:

make TAGS=awsssm

See example PR: https://github.com/s12v/exec-with-secrets/pull/1