Skip to main content
Version: 1.3

Secrets filling

It is possible to ask secenv to fill secrets that are defined in the configuration file.

To define a secret, use the following code:

secrets:
  - secret: my_secret_1
    store: my_store
  - secret: my_secret_2
    store: my_store

It is not possible to have multiple secrets having the same name in the same store, reasons are fairly obvious, but it is possible for secrets to share the same name across multiple stores, like this:

secrets:
  - secret: my_secret
    store: my_store_1
  - secret: my_secret
    store: my_store_2

In this case, a secret called my_secret is created in both my_store_1 and my_store_2.

For some stores, secrets can be either a raw value (i.e. file content), or a key-value store like a JSON file (i.e. in AWS). To do so, use the following code:

secrets:
  - secret: my_kv_secret
    store: my_store
    keys:
      - key1
      - key2

The stores supporting key-value secrets are:

  • AWS Secret Manager
  • Hashicorp Vault
  • Scaleway Secret Manager

For Hashicorp Vault, it is possible to specify the engine to use, to do so, add:

secrets:
  - secret: my_kv_secret
    store: my_vault_store
    engine: my_engine

Once everything is configured, run:

secenv secrets

For each secret defined in the configuration file (and for each key if some are provided), secenv will perform the following steps:

  • If the secret doesn't exist, create it
  • If the secret contains the keys parameter, do the following steps for each key
  • If the secret/key is not empty, ask to overwrite it
  • Ask for the value of the secret/key, or generate it
  • Fill the secret (once with all the keys)

If the provided value starts with file:, secenv considers it must use the content of the file as the secret value, by example:

$ secenv secrets
Value for secret 'MY_SECRET' in store 'my_store'? file: /path/to/file

It is possible to generate secrets as well, to do so, use the following code:

secrets:
  - secret: my_secret
    store: my_store
    generate:
      type: <type>

For now, two types are available: password and dummy.

/!\ The dummy type is for debug purposes and fills the secret with the value password. DO NOT use it in production.

For the password type, it accepts the following parameters:

secrets:
  - secret: my_secret
    store: my_store
    generate:
      type: password
      length: <length> # defaults to 24
      alphabets:
        - <alphabet>

The alphabets are available in the string Python module. It defaults to string.printable without string.whitespace as it contains \t\r\n which can break a lot of things.

The alphabets shouldn't include the heading string.. In example, to use string.ascii_letters, add only ascii_letters in the alphabet list.

Note: it is possible to mix keys and generate, but the keys will all have the same type.