A project aimed to avoid downloading secrets from remote providers (support only AWS Secret Manager for the moment). Opens an editor with the content of the secret readily editable, upon save & exit, the secret is automatically uploaded and a new version created remotely. This way, no need to use common bad-practices such as versionning secrets in a VCS or worst, storing them on your machine and sending them via slack :)
|
Note
|
This project is at its earliest stage a project can be, i.e. a proof of concept that might or not develop into a full fledged project. |
Just like awscli, you can customize the profile and region to use:
OPTIONS: -P, --profile <profile> Use a specific aws profile, overrides config and env settings -R, --region <region> The region where the secret is, overrides config and env settings
These are global options, and can be set anywhere in the command.
Lists your secrets and their versions
USAGE:
barberousse list [OPTIONS] [secret-id]
ARGS:
<secret-id> The id of the secret for which to list versions
If no secret-id is passed, lists all your secrets. To list the versions, just pass the id of the secret.
Cat your secret in a nice format into stdout
By default the remote secret is read as a json secret and printed in yaml for ease of read. However, you can customize this behavior to your choosing by passing the print format defining how you want your secrets to be formatted, and secret format defining the format of the remote secret.
ARGS:
<secret-id> The id of the secret to print
FLAGS:
-n, --no-color Do not color the output, this behavior is the same as when piping to another program
OPTIONS:
-p, --print-format <print-format> The format used to print the secret, if the secret's
format is `text`, this will be ignored and defaults to
`text` too [default: yaml]
[possible values: json, yaml, text]
-s, --secret-format <secret-format> The format of the secret's remote storage [default: json]
[possible values: json, yaml, text]
--version-id <version-id> Cat a specific version
The output is pretty-printed, and color highlighted by default. Disable that by using --print-format=text
-
YAML output (default)
❯❯❯ barberousse cat /test/file --print-format yaml 1 │ --- 2 │ a: secret 3 │ another: secret value
-
JSON output
❯❯❯ barberousse cat /test/file --print-format json 1 │ { 2 │ "a": "secret", 3 │ "another": "secret value" 4 │ } -
JSON output piped to
jq❯❯❯ barberousse cat /test/file --print-format json | jq -r '.a' secret
How it may look like on your terminal:
Allows you to edit a remote secret without saving it on disk (a temp file is created though… a more secure way to handle temp files will come in the future, see #3). You can use different formats to edit your secret (json, yaml, plain text).
ARGS:
<secret-id> The id of the secret to edit
OPTIONS:
-e, --edit-format <edit-format> The format used to edit the secret, if the secret's
format is `text`, this will be ignored and defaults
to `text` too [default: yaml]
[possible values: json, yaml, text]
-s, --secret-format <secret-format> The format of the secret's remote storage [default: json]
[possible values: json, yaml, text]
--editor <editor> Override the default editor, $EDITOR, used for
editing the secret
-
To edit in YAML a JSON secret (default):
❯❯❯ barberousse edit /test/file --edit-format yaml --secret-format json
-
To edit in JSON a JSON secret:
❯❯❯ barberousse edit /test/file --edit-format json --secret-format json
How it may look like on your terminal:
By copying a secret, you can customize them for different usage. Use this feature wisely as it may lead to re-using the secrets and this is not a good practice.
ARGS:
<secret-id> The id of the secret to copy
<target-id> The id of the secret to create
OPTIONS:
-e, --edit-format <edit-format> The format used to edit the secret, if the secret's
format is `text`, this will be ignored and defaults
to `text` too [default: yaml]
[possible values: json, yaml, text]
-s, --secret-format <secret-format> The format of the secret's remote storage [default: json]
[possible values: json, yaml, text]
--editor <editor> Override the default editor, $EDITOR, used for
editing the secret
--target-region <target-region> Use a different region for the target secret
-
To copy a JSON secret and edit it in YAML (default):
❯❯❯ barberousse copy /test/file /test/file2
-
To copy a secret from one region to another:
❯❯❯ barberousse copy /test/file /test/file2 --region eu-west-1 --target-region eu-west-3
We’re almost there!
-
✓ General
-
✓ Support selecting profiles and regions (env variables are supported though)
-
-
✓ Editing
-
✓ Edit JSON, YAML, text
-
✓ Edit JSON using YAML (default behavior)
-
✓ Edit <format> using <another format>
-
✓ Create a secret if not exist
-
✓ Custom editor selection, pass
--editor
-
-
✓ Printing
-
✓ Cat the content of a secret in one or many other formats
-
-
✓ Copy
-
✓ Duplicate a secret (and open an editor before saving the copy)
-
✓ Support cross region
-
Some extra features to edit non-content info. This should be more an interactive process overall otherwise it would not make sense to have them as the aws cli already provides a good api to do exactly that.
-
Edit secret’s metadata (description and KMS key): replaces the
update-secret --description "" --kms-key-id "" -
Print secret’s metadata