Skip to main content

A tool for keeping secrets during software builds and deployments

Project description

SECTOOL

A tool for keeping secrets during software builds and deployments.

Challenge

The secrets like API keys or passwords should be used during run time and provided by execution environment. The simple solution is keeping them as environment variables. But values of the variables are usually kept as plain text inside files like Dockerfile or docker-compose.yml which is not secure.

Way to solve

The tool solves the issue, it allows you to keep secrets in an encrypted file and inject the values during software builds.

How it works?

  1. You create an .ini file where in section secrets you keep all your secrets.
  2. Encrypt the file. Later you can use the file (or files if you need different secrets for different environments).
  3. Run sectool by specifying the file and your deployment config file. The tool reads your deployment config, injects the corresponding values and print the result to stdout.
  4. Here is the step when Linux magic begins, the stdout can be piped to your building or deployment tool, also xargs can help.

Examples

Inject to Dockerfile and build a Docker image:

echo -n "Enter your password: "
read PASSWORD
python3.7 sectool.py secrets.dat $PASSWORD Dockerfile | docker build -t tulip -f - .

Inject to docker-compose.yml and build all images mentioned there:

echo -n "Enter your password: "
read PASSWORD
python3.7 sectool.py secrets.dat $PASSWORD docker-compose.yml | docker-compose -f - build

Inject to AWS Task Definition:

echo -n "Enter your password: "
read PASSWORD
python3.7 sectool.py secrets.dat $PASSWORD my-aws-task-def.json | xargs -0 aws ecs register-task-definition --region eu-west-1 --cli-input-json

How do I encrypt .ini file?

Easy. You need openssl, the software is very popular and included in almost popular Linux/Unix distributions.

How do I encrypt file?

openssl enc -aes-256-cbc -in secrets.ini -out secrets.dat

Don't forget password that the tool will ask! If you forget it, you won't be able to get access to your secrets.

How do I decrypt to check if everything okay?

openssl enc -aes-256-cbc -k <password> -d -in secrets.dat

How do I mention secret variables in my, for instance, Dockerfile?

Just use a name of the variable in double curly brackets {{api_key}}

Example of .ini file:

[secrets]
api_key = AGTDBLWLB5BGG7NNVHV

Example of Dockerfile:

FROM ubuntu:20.04
USER wheel

ENV API_KEY={{api_key}}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sectool-0.0.12.tar.gz (4.0 kB view hashes)

Uploaded Source

Built Distribution

sectool-0.0.12-py3-none-any.whl (4.4 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page