Skip to main content
Version: 1.3

Multiple AWS stores with extend

This example uses 2 AWS accounts, one for dev, and one for production. It defines credentials for a database and inject them in the 2 contexts.

To access the 2 accounts, it uses a root account and assumes a role in the sub-accounts.

It requires the following environment values:

  • SECENV_aws_root_access_key_id
  • SECENV_aws_root_secret_access_key
  • SECENV_aws_root_region
.secenv.yaml
stores:
aws_root:
type: aws

aws_dev:
extends: aws_root
assume_role: arn:aws:iam::<dev_account_id>:role/OrgAccessRole

aws_prod:
extends: aws_root
assume_role: arn:aws:iam::<prod_account_id>:role/OrgAccessRole

secrets:
- secret: DATABASE_CREDENTIALS
store: aws_dev
keys:
- host
- user
- password

- secret: DATABASE_CREDENTIALS
store: aws_prod
keys:
- host
- user
- password

contexts:
dev:
vars:
DB_HOST:
store: aws_dev
secret: DATABASE_CREDENTIALS
key: host
DB_USER:
store: aws_dev
secret: DATABASE_CREDENTIALS
key: user
DB_PASSWORD:
store: aws_dev
secret: DATABASE_CREDENTIALS
key: password

prod:
vars:
DB_HOST:
store: aws_prod
secret: DATABASE_CREDENTIALS
key: host
DB_USER:
store: aws_prod
secret: DATABASE_CREDENTIALS
key: user
DB_PASSWORD:
store: aws_prod
secret: DATABASE_CREDENTIALS
key: password

Now, it is possible to generate the following commands:

# Fill the secrets
$ secenv secrets

# And generate the context
$ secenv contexts
dev
prod

$ secenv context dev
export DB_HOST='...'
export DB_USER='...'
export DB_PASSWORD='...'

$ secenv context prod
export DB_HOST='...'
export DB_USER='...'
export DB_PASSWORD='...'