Secrets filling
It is possible to ask secenv to fill secrets that are defined in the configuration file.
To define a secret, use the following code:
secrets:
- secret: my_secret_1
store: my_store
- secret: my_secret_2
store: my_store
It is not possible to have multiple secrets having the same name in the same store, reasons are fairly obvious, but it is possible for secrets to share the same name across multiple stores, like this:
secrets:
- secret: my_secret
store: my_store_1
- secret: my_secret
store: my_store_2
In this case, a secret called my_secret is created in both my_store_1 and my_store_2.
For some stores, secrets can be either a raw value (i.e. file content), or a key-value store like a JSON file (i.e. in AWS). To do so, use the following code:
secrets:
- secret: my_kv_secret
store: my_store
keys:
- key1
- key2
The stores supporting key-value secrets are:
- AWS Secret Manager
- Hashicorp Vault
For Hashicorp Vault, it is possible to specify the engine to use, to do so, add:
secrets:
- secret: my_kv_secret
store: my_vault_store
engine: my_engine
Once everything is configured, run:
secenv secrets
For each secret defined in the configuration file (and for each key if some are provided), secenv will perform the following steps:
- If the secret doesn't exist, create it
- If the secret contains the
keysparameter, do the following steps for each key - If the secret/key is not empty, ask to overwrite it
- Ask for the value of the secret/key
- Fill the secret (once with all the keys)
If the provided value starts with file:, secenv considers it must use the content of the file, by example:
$ secenv secrets
Value for secret 'MY_SECRET' in store 'my_store'? file: /path/to/file