Add Azure Key Vault provider

s12v · Jun 6, 2019 · 702e07d · 702e07d
1 parent 2527a48
commit 702e07d
Show file tree

Hide file tree

Showing 10 changed files with 378 additions and 24 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+azure.auth
 bin
 coverage.txt
 main

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,9 @@
 FROM amazonlinux:2
 
-COPY ./bin/exec-with-secrets-linux-amd64 /usr/local/bin/exec-with-secrets
+ADD https://github.com/s12v/exec-with-secrets/releases/download/v0.3.0/exec-with-secrets-linux-amd64 /exec-with-secrets
 
-CMD exec-with-secrets
+RUN chmod +x /exec-with-secrets
+
+ENTRYPOINT ["/exec-with-secrets"]
+
+CMD env
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 .PHONY: all
 all: clean test build
-TAGS = awskms awssecretsmanager awsssm
+TAGS = awskms awssecretsmanager awsssm azurekeyvault
 
 clean:
 	rm -rf ./bin || true
@@ -13,4 +13,4 @@ build:
 	GOOS=darwin GOARCH=amd64 go build -i -tags '$(TAGS)' -ldflags='-s -w' -o "bin/exec-with-secrets-darwin-amd64"
 
 docker:
-	docker build -t exec-with-secrets-example .
+	docker build --no-cache -t exec-with-secrets-example .
diff --git a/README.md b/README.md
@@ -1,48 +1,50 @@
 [![Build Status](https://travis-ci.com/s12v/exec-with-secrets.svg?branch=master)](https://travis-ci.com/s12v/exec-with-secrets)
 [![codecov](https://codecov.io/gh/s12v/exec-with-secrets/branch/master/graph/badge.svg)](https://codecov.io/gh/s12v/exec-with-secrets)
 
-Populate secrets from AWS KMS, SSM or Secrets Manager into your app environment
-
-`exec-with-secrets` passes secrets from AWS KMS, SSM, or Secrets Manager into your app environment in a secure way.
+`exec-with-secrets` passes secrets from AWS KMS, SSM, Secrets Managerm or Azure Key Vault into your app environment in a secure way.
 
 It supports the following services as secrets providers:
  - [AWS Key Management (KMS)](https://aws.amazon.com/kms/)
- - [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html)
+ - [AWS Systems Manager Parameter Store (SSM)](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html)
  - [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
+ - [Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)
 
 This small utility looks for prefixed variables in environment and replaces them with the secret value:
  - `{aws-kms}AQICAHjA3mwbmf...` - decrypts the value using AWS KMS
  - `{aws-ssm}/app/staging/param` - loads parameter `/app/staging/param` from AWS Systems Manager Parameter Store
  - `{aws-sm}/app/staging/param` - loads secret `/app/staging/param` from AWS Secrets Manager
  - `{aws-sm}/app/staging/param{prop1}` - loads secret `/app/staging/param` from AWS Secrets Manager and takes `prop1` property
+ - `{az-kv}vault/name` - loads secret `name` from Azure Key Vault `vault`
 
 Then it runs `exec` system call and replaces itself with your app.
 The secrets are only available to your application and not accessible with `docker inspect`.
 
-The default credentials chain is used for AWS access.
+Access:
+ - The default credentials chain is used for AWS access
+ - Azure authorizer from environment variables/MSI
+ - Azure authorizer from configuration file, if the file is set using `AZURE_AUTH_LOCATION` variable
 
 ## Examples
 
 ### Wrap an executable
 
 ```
-PARAM="{aws-kms}AQICAHjA3mwvsfng346vnbmf..." exec-with-secrets app
+# Download the latest binary
+curl -L https://github.com/s12v/exec-with-secrets/releases/download/v0.3.0/exec-with-secrets-darwin-amd64 -o exec-with-secrets
+chmod +x ./exec-with-secrets
+
+# Wrap /bin/sh
+PARAM="{aws-kms}c2VjcmV0" ./exec-with-secrets /bin/sh -c 'echo $PARAM'
 ```
 
-`PARAM` will be decrypted and passed to `app` via environment.
+`PARAM` will be decrypted and passed to `/bin/sh` via environment.
 
 ### Docker example
 
-Build an image:
+Build an example image:
 
 ```
-FROM amazonlinux:2
-
-ADD https://github.com/s12v/exec-with-secrets/releases/download/v0.3.0/exec-with-secrets-linux-amd64 /exec-with-secrets
-
-COPY app.jar /app.jar
-
-CMD exec-with-secrets java -jar /app.jar
+make docker
 ```
 
 Run:
@@ -51,16 +53,20 @@ docker run \
     -e PLAINTEXT_PARAM="text" \
     -e KMS_PARAM="{aws-kms}AQICAHjA3mwvsfng346vnbmf..." \
     -e SSM_PARAM="{aws-ssm}/myapp/param" \
-    myappimage
+    exec-with-secrets-example \
+    /bin/env
 ```
 
-`KMS_PARAM` and `SSM_PARAM` will be decrypted and passed to `app.jar` environment.
-`docker inspect` will still see the encrypted values
+`KMS_PARAM` and `SSM_PARAM` will be decrypted and passed to `/bin/env` as environment variables.
+See [Dockerfile](Dockerfile) example.
+
 
 ## Build
 
 `make` builds Linux and Mac binaries with all providers.
 
+### Choose providers
+
 To chose providers (for example only AWS SSM), run:
 ```
 make TAGS=awsssm

diff --git a/go.mod b/go.mod
@@ -1,3 +1,11 @@
 module github.com/s12v/exec-with-secrets
 
 require github.com/aws/aws-sdk-go-v2 v0.8.0
+
+require (
+	github.com/Azure/azure-sdk-for-go v30.0.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.2.0
+	github.com/Azure/go-autorest/autorest/azure/auth v0.1.0 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.2.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.1.0 // indirect
+)