Add secrets from AWS Parameter Store to your environment. That's it.
Inspired by chamber but losing the bells and whistles -- secretly only performs reads from the parameter store -- and a little less opinionated about namespacing and parameter store usage.
secretly runs the command passed to it with the variables defined in the SECRETLY_NAMESPACE of AWS' Parameter Store.
If SECRETLY_NAMESPACE is undefined it behaves normally.
secretly [COMMAND...]
SECRETLY_NAMESPACE=MY_NAMESPACE secretly [COMMAND...]For example, say you've stored the value mysecretpassword with the name /foor/bar/BAZ in the parameter store.
$ secretly env | grep BAZ
# nothing
$ export SECRETLY_NAMESPACE=foo/bar
$ secretly env | grep BAZ
BAZ=mysecretpasswordIn addition, it's possible to specify multiple namespaces by separating them with commas in the SECRETLY_NAMESPACE variable. If a parameter is defined in multiple namespaces, the parameter from the right-most entry in the comma separated list of namespaces will be returned.
$ secretly env | grep APP
# nothing
$ export SECRETLY_NAMESPACE=common/dev,myapp/dev
$ secretly env | grep APP
APP_SHARED_API_KEY=mysecretpassword
APP_MYAPP_SECRET=mysecretpasswordSecretly is meant to have a very specific and lightweight purpose -- to be called from a Dockerfile. Add it to your Dockerfile, chmod +x it, and prefix your CMD or ENTRYPOINT with it -- CMD ["secretly", "run_myawesomeapp.sh"]. Check out the trivial example in example.Dockerfile.
Now:
$ docker build -f example.Dockerfile -t secretly-test .
$ docker run secretly-test | grep BAZ
# nada
$ docker run -e SECRETLY_NAMESPACE=foo/bar secretly-test | grep BAZ
# shit, auth error!
$ docker run -e SECRETLY_NAMESPACE=foo/bar -e AWS_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY secretly-test | grep BAZ
BAZ=mysecretpasswordIn ECS, provided you're using AWS IAM roles, the auth params won't be necessary.
$ make test
$ make dist # plops stuff in dist/
$ make clean # cleans out distAny tagged commits will be built by travis and published with artifacts.