Multiple AWS stores with extend
This example uses 2 AWS accounts, one for dev, and one for production. It defines credentials for a database and inject them in the 2 contexts.
To access the 2 accounts, it uses a root account and assumes a role in the sub-accounts.
It requires the following environment values:
SECENV_aws_root_access_key_id
SECENV_aws_root_secret_access_key
SECENV_aws_root_region
.secenv.yaml
stores:
aws_root:
type: aws
aws_dev:
extends: aws_root
assume_role: arn:aws:iam::<dev_account_id>:role/OrgAccessRole
aws_prod:
extends: aws_root
assume_role: arn:aws:iam::<prod_account_id>:role/OrgAccessRole
secrets:
- secret: DATABASE_CREDENTIALS
store: aws_dev
keys:
- host
- user
- password
- secret: DATABASE_CREDENTIALS
store: aws_prod
keys:
- host
- user
- password
contexts:
dev:
vars:
DB_HOST:
store: aws_dev
secret: DATABASE_CREDENTIALS
key: host
DB_USER:
store: aws_dev
secret: DATABASE_CREDENTIALS
key: user
DB_PASSWORD:
store: aws_dev
secret: DATABASE_CREDENTIALS
key: password
prod:
vars:
DB_HOST:
store: aws_prod
secret: DATABASE_CREDENTIALS
key: host
DB_USER:
store: aws_prod
secret: DATABASE_CREDENTIALS
key: user
DB_PASSWORD:
store: aws_prod
secret: DATABASE_CREDENTIALS
key: password
Now, it is possible to generate the following commands:
# Fill the secrets
$ secenv secrets
# And generate the context
$ secenv contexts
dev
prod
$ secenv context dev
export DB_HOST='...'
export DB_USER='...'
export DB_PASSWORD='...'
$ secenv context prod
export DB_HOST='...'
export DB_USER='...'
export DB_PASSWORD='...'