Novops, the universal secret and configuration manager for development, applications and CI.
- Secret management: Load secrets safely from any source, including Hashicorp Vault, AWS, GCloud, Azure, SOPS and more
- Configuration as code: Seamlessly manage and set secure files and environment variables for your local development, applications, and CI pipelines.
- Security: Load secrets safely in-memory and keep them only for as long as they are needed to avoid mishandling or spreading sensitive data.
- Universal: Designed to be versatile and flexible, meeting a wide range of secret management needs across different platforms and tools.
- Free and Open Source: Novops is free and open-source - and will always be.
📖 Visit website for full documentation and examples
- Getting Started
- 🔐 Security
- Features
- Modules
- Examples
- Full Documentation
- Community and Support
- Roadmap
- Contributing
- Inspiration and similar tools
- License
- Acknowledgment
Let's deploy an application with secret password and SSH key from Hashicorp Vault and temporary AWS credentials.
Install Novops (or use another method):
sh -c "$(curl --location https://raw.githubusercontent.com/PierreBeucher/novops/main/install.sh)"Create .novops.yml and commit it safely - it does not contain any secret:
environments:
# Your development environment.
# Novops supports multiple environments:
# you can add integ, preprod, prod...
# with their own config.
dev:
# Environment variables for dev environment
variables:
# Fetch Hashicorp Vault secrets
- name: DATABASE_PASSWORD
value:
hvault_kv2:
path: app/dev
key: db_password
# Set plain string as config
- name: DATABASE_USER
value: postgres
# Load files safely in-memory.
# Environment variable APP_SSH_KEY
# will point to secure in-memory file
files:
- variable: APP_SSH_KEY
content:
hvault_kv2:
path: app/dev
key: ssh_key
# Generate temporary AWS credentials for an IAM Role
# Provide environment variables:
# - AWS_ACCESS_KEY_ID
# - AWS_SECRET_ACCESS_KEY
# - AWS_SESSION_TOKEN
aws:
assume_role:
role_arn: arn:aws:iam::12345678910:role/dev_deployRun commands with secrets and configs and discard them as soon as they're not needed anymore:
# bash: source with process substitution
source <(novops load)
# zsh / ksh: source with process substitution
source =(novops load)
# Run sub-process directly
novops run -- sh # or any other command, like 'terraform apply'
# load in .env file (novops creates a symlink pointing to secure temporary file)
novops load -s .envrc && source .envrcSecrets are available as environment variables and secure in-memory files:
echo $DATABASE_PASSWORD
# passxxxxxxx
echo $APP_SSH_KEY
# /run/user/1000/novops/... (in a secure tmpfs directory)
env | grep AWS
# AWS_ACCESS_KEY_ID=AKIAXXX
# AWS_SECRET_ACCESS_KEY=xxx
# AWS_SESSION_TOKEN=xxxSecrets are loaded temporarily as environment variables or in a protected tmpfs directory and kept only for as long as they are needed.
See Novops Security Model for details
- Securely load secrets in protected in-memory files and environment variables
- Generate temporary credentials and secrets
- Fetch secrets from anywhere: Hashicorp Vault, AWS, Google Cloud, Azure, SOPS and more. Avoid syncing secrets between local tool, CI/CD, and Cloud secret services.
- Feed secrets directly to command or process with
novops run, easing usage of tools like Terraform, Pulumi, Ansible... - Manage multiple environments:
dev,preprod,prod... and configure them as you need. - Easy installation with fully static binary or Nix
Novops uses modules to load and generate temporary secrets from various platforms and providers. Configure them in .novops.yml:
Supported Hashicorp Vault Secret Engines:
- Key Value v1/v2
- AWS: generate temporary STS credentials
See Hashicorp Vault module reference
environments:
dev:
variables:
# KV2 Secret Engine
- name: APP_PASSWORD
value:
hvault_kv2:
path: "myapp/dev/creds"
key: "password"
# KV1 Secret Engine
- name: APP_TOKEN
value:
hvault_kv1:
mount: kv1
path: "otherapp/dev/creds"
key: "token"
# AWS temporary creds with Vault
hashivault:
aws:
name: dev_role
role_arn: arn:aws:iam::111122223333:role/dev_roleMultiple AWS services are supported:
- Secrets Manager
- STS Assume Role for temporary IAM Role credentials
- SSM Parameter Store
environments:
dev:
# Temporary IAM Role credentials. Output variables
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
# AWS_SESSION_TOKEN
aws:
assume_role:
role_arn: arn:aws:iam::12345678910:role/my_dev_role
source_profile: novops
variables:
# Secrets Manager
- name: APP_PASSWORD
value:
aws_secret:
id: dev-app-password
# SSM Parameter Store
- name: APP_TOKEN
value:
aws_ssm_parameter:
name: dev-app-tokenLoad secrets from Google Cloud Secret Manager. See Google Cloud module reference
environments:
dev:
variables:
# Secret Manager
- name: APP_PASSWORD
value:
gcloud_secret:
name: projects/my-project/secrets/AppPasswordDev/versions/latestLoad secrets from Azure Key Vault. See Azure Key Vault module reference
environments:
dev:
variables:
# Key Vault
- name: APP_PASSWORD
value:
azure_keyvault_secret:
vault: vault-dev
name: app-passwordLoad secrets from SOPS encrypted files. See SOPS module reference
environments:
dev:
variables:
# SOPS nested key
- name: APP_PASSWORD
value:
sops:
file: sops/dev/encrypted.yml
extract: '["app"]["password"]'
# Entire SOPS file as dotenv
sops_dotenv:
- file: sops/dev/encrypted-dotenv.yml
- file: sops/dev/another-encrypted-dotenv.ymlLoad secrets from BitWarden. See BitWarden module reference
environments:
dev:
variables:
# BitWarden secret item
- name: APP_PASSWORD
value:
bitwarden:
entry: "App Password - Dev"
field: login.passwordExample .novops.yml for an application with database and two environments, dev & prod:
environments:
# DB login, password and host for dev
# Pass password as env var
dev:
variables:
- name: DB_PASSWORD
value:
hvault_kv2:
path: app/dev
key: db_password
- name: DB_USER
value: postgres
- name: DB_HOST
value: db.dev.example.com
# DB login, password and host for prod
# Pass password as secure file
prod:
files:
# Password will be saved in a secure file
# Environment variable DB_PASSWORD_FILE will point to it
# Such as DB_PASSWORD_FILE=/run/...
- variable: DB_PASSWORD_FILE
content:
hvault_kv2:
path: app/prod
key: db_password
variables:
- name: DB_USER
value: postgres
- name: DB_HOST
value: db.prod.example.comWith Novops you can:
Run your deployment script with Database secrets
novops run -- ./deploy-app.sh
# You can run any command
#
# novops run -- ansible-playbook deploy.yml
# novops run -- terraform plan && terraform apply
# novops run -- pulumi up -yrfOr directly run a sub-shell with secrets loaded:
novops run --shnovops load loads secrets directly as dotenv exportable file.
source <(novops load)Note: for security, Novops won't output anything directly in a terminal to prevent secret from being exposed directly.
By default Novops will prompt for environment
novops run -- ./deploy-app.sh
# Select environment: dev, prodYou can specify environment directly with -e ENV
novops run -e dev -- ./deploy-app.shLoad environment variables directly into containers:
docker run -it --env-file <(novops load -f dotenv -e dev) alpine sh
podman run -it --env-file <(novops load -f dotenv -e dev) alpine sh- Shell
- Docker & Podman
- Nix
- CI / CD
- Infra as Code
A question? A problem? A bug to report?
The following modules are expected to be implemented:
- More Hashicorp Vault Secret Engines among which
- Kubernetes
- SSH
- Azure Role
- 1Password
- Consul
- Infisical
Feel free to create an issue and contribute a PR !
We welcome contributions: bug reports/fixes, modules, proposals... :) To get started you can check Novops internal architecture and:
- https://github.com/getsops/sops
- https://github.com/dotenv-org/dotenv-vault
- https://github.com/tellerops/teller
- https://github.com/sorah/envchain
- https://github.com/Infisical/infisical
- https://github.com/99designs/aws-vault
- https://github.com/channable/vaultenv
GNU Lesser General Public License
Novops was initially developed and used at Novadiscovery who graciously transferred code ownership. Thanks Nova's team for your help in designing and developing Novops.