Skip to main content
Version: 1.2

Stores definition

The stores are the underlying mechanism that permits to define and retrieve secrets in various kind of secret managers.

A store is basically a bridge between the user interface and the actual manager. Defining a store is simple, add this to your config:

stores:
my_awesome_store:
type: <type>

And voilà, the store my_awesome_store is now available in your contexts.

secenv can retrieve secrets from various managers, each one having its specificities. Here is an exhaustive list of the available secret managers (explanations for each one are given below):

Note that for each store, only the type argument is mandatory in the configuration file. For the other parameters, they can be filled using the following environment variable format:

SECENV_<store>_<parameter> = <value>

It is also possible for a store to extend another store. The extending store will inherit all the parameters of the extended store. Redefining parameters in the extending store will override the ones of the extended store. Here is an example:

stores:
root_account:
type: aws
region: <region>
access_key_id: <access_key_id>
secret_access_key: <secret_access_key>

sub_account:
extends: root_account
assume_role: <assume_role>

It can be useful if multiple stores share the same parameters. In this case, two AWS stores are sharing the same credentials but the extending one assume a role in another account before retrieving the secrets.

Azure Key Vault

To retrieve secrets from Azure Key Vault, add the following code:

stores:
my_azure_store:
type: azure
key_vault: <key_vault>

It is possible to configure it using the following environment variables:

SECENV_my_azure_store_key_vault = <key_vault>

SecEnv does not handle the authentication against Azure. To do so, use a dedicated Github Action or add the following step in the CI/CD:

az login -u $AZ_USER_NAME -p $AZ_USER_PASSWORD

More can be found on the official documentation.

AWS Secret Manager

To retrieve secrets from AWS Secret Manager, add the following code:

stores:
my_aws_store:
type: aws
region: <region>
access_key_id: <access_key_id>
secret_access_key: <secret_access_key>
assume_role: <assume_role>

The assume_role parameter is optional. If it is given, the AWS client will assume the role given in this parameter before trying to retrieve the secrets. The full ARN of the role must be given in the form arn:aws:iam::<account_id>:role/<role_name>.

It is possible to configure it using the following environment variables:

SECENV_my_aws_store_region = <region>
SECENV_my_aws_store_access_key_id = <access_key_id>
SECENV_my_aws_store_secret_access_key = <secret_access_key>
SECENV_my_aws_store_assume_role = <assume_role>

Bitwarden

To retrieve secrets from Bitwarden, secenv uses the unofficial rbw CLI. It is planned to migrate to plain Python and to not require any external dependency, but the Bitwarden API is closed-source.

Once the CLI installed, add the following code:

stores:
my_bitwarden_store:
type: bitwarden

The authentication is made through the CLI, so first login to your account. The store doesn't require any further configuration as everything is already done by the CLI.

Environment

To retrieve secrets from the local environment, add the following code:

stores:
my_env_store:
type: env

Having a local environment might not make sense in a real-life situation, but having it for debug purpose is very useful.

Note that it is not possible to fill secrets in the environment, as they will be discarded when secenv terminates.

GCP Secret Manager

To retrieve secrets from GCP Secret Manager, first choose a way to login to the service.

Only two of the authentication methods are handled by secenv. Either the authentication is made through the CLI, by running gcloud auth application-default login, or by using Application Credentials.

To use a GCP Secret Manager store, add the following code:

stores:
my_gcp_store:
type: gcp
project_id: <project_id>

It is possible to configure it using the following environment variables:

SECENV_my_gcp_store_project_id = <project_id>

To use Application Credentials, it is possible to set the following environment value:

SECENV_my_gcp_store_google_application_credentials = <google_application_credentials>

See here the relevant documentation. Anyway, it might be simpler to use an external method to handle the GCP authentication, such as a Github Action, or a Google-provided tool.

GNU Pass

To retrieve secrets from GNU Pass, add the following code:

stores:
my_pass_store:
type: pass
directory: <directory>

Passing the directory argument is not required, it will default to ~/.password-store. Note that the directory as well as the encryption keys must be configured before running secenv.

It is possible to configure it using the following environment variable:

SECENV_my_pass_store_directory = <directory>

Hashicorp Vault

To retrieve secrets from Hashicorp Vault, add the following code:

stores:
my_vault_store:
type: vault
url: <url>
token: <token>

It is possible to configure it using the following environment variables:

SECENV_my_vault_store_url = <url>
SECENV_my_vault_store_token = <token>

Scaleway Secret Manager

To retrieve secrets from Scaleway Secret Manager, add the following code:

stores:
my_scaleway_store:
type: scaleway
region: <region>
project_id: <project_id>
token: <token>

The region is something like fr-par, nl-ams, etc. The project ID is available in the settings section of the project. Even if it is not a secret, we recommend to not store it in the codebase.

The token should be generated from an IAM application linked to a policy allowing access to the Secret Manager only.

It is possible to configure it using the following environment variables:

SECENV_my_scaleway_store_region = <region>
SECENV_my_scaleway_store_project_id = <project_id>
SECENV_my_scaleway_store_token = <token>