secretoenvs (pronounced "secret to envs") is a utility to convert an Environment Variable stored as JSON to key=value format (shell environment variables).
AWS Secrets Manager lets you store and retrieve sensitive values. Many AWS services can already interact with it natively, however using this service with existing daemons can be a little unpleasant, as these daemons often require a file format other than JSON for their settings.
In this way, when it is not possible to use the values retrieved from AWS Secrets in JSON format (standard format of the API response of this service), it is necessary to create string manipulation commands with sed, awk and others to arrive at the desired format.
So I decided to create a small utility (less than 100 lines currently) to make it easy to convert the secrets in JSON format to formats that require each Secret Value on a separate line (like dotenv format).
We can retrieve the secret values and generate a dotenv file with the following command:
secretoenvs -raw-value "$(aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:{region}:{account_id}:secret:{secret_id} | jq '.SecretString | fromjson')" > .envWe can retrieve the secret values and generate a configuration file for php-fpm with the following command:
secretoenvs -key-prefix='env[' -key-value-separator='] = ' -raw-value "$(aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:{region}:{account_id}:secret:{secret_id} | jq '.SecretString | fromjson')" > /usr/local/etc/php-fpm.d/secrets.confThere are two ways to install:
Through go install
go install github.com/RafaelYon/[email protected]Or downloading a pre-compiled version:
wget https://github.com/RafaelYon/secretoenvs/releases/download/v0.2.0/secretoenvs_linux_amd64 -O ~/bin/secretoenvsAfter getting a binary you can start using it.
This utility has a basic explanation of the arguments and flags that can be specified:
secretoenvs -hOutput:
Usage of secretoenvs [RAW_JSON or ENVIRONMENT_VARIATION_NAME]:
-key-prefix string
Specifies a prefix for each key in the output.
-key-value-separator string
Specifies the characters to use to separate key values (default "=")
-quotation-marks string
Specifies a combination of characters to be placed before and after the ENV value in the output.
-raw-value
Specifies that JSON was passed as an argument. So it is not necessary to specify an ENV as input.
Assumed there is the following ENV with a JSON in your environment:
echo $AWS_SECRETS_JSONOutput:
{"API_HOST":"https://example.com/api","API_KEY":"some secrets value"}
We can convert this JSON to key=value notation with the following statement:
secretoenvs AWS_SECRETS_JSONOutput:
API_HOST=https://example.com/api
API_KEY=some secrets value
Quotes can be specified by adding the following -quotation-mark=\'" flag in front of positional arguments:
secretoenvs -quotation-marks=\' AWS_SECRETS_JSONOutput:
API_HOST='https://example.com/api'
API_KEY='some secrets value'
Prefix in the name of ENVs can be specified by adding the -key-prefix=SOME_PREFIX flag in front of positional arguments:
secretoenvs -key-prefix=AWS_ AWS_SECRETS_JSONOutput:
AWS_API_HOST=https://example.com/api
AWS_API_KEY=some secrets value
The characters used to separate the key from the value can be changed by adding the -key-value-separator=SOME_SEPARATOR flag in front of the positional arguments:
secretoenvs -key-value-separator=': ' AWS_SECRETS_JSONOutput:
API_HOST: https://example.com/api
API_KEY: some secrets value
You can specify a JSON directly:
.secretoenvs -raw-value '{"API_HOST":"https://example.com/api","API_KEY":"some secrets value"}'Output:
API_HOST=https://example.com/api
API_KEY=some secrets value