Skip to content
This repository has been archived by the owner on Sep 8, 2022. It is now read-only.
/ saidumlo Public archive
forked from fishi0x01/saidumlo

🔒 A client site secret management tool primarily designed for ops repos.

License

Notifications You must be signed in to change notification settings

kfzteile24/saidumlo

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Status

Master branch build status Go Report Card Code Climate Issue Count

SaiDumLo

SaiDumLo aims to be a client site secret management tool primarily designed for local development.

Currently, SaiDumLo only interacts as a wrapper for HashiCorp's vault client. Vault is awesome, but lacks an easy configurable config file to synch your local ops repo with the vault secrets. I always find myself writing and maintaining different Makefile commands for different secrets of different stages (qa/staging/live..). SaiDumLo lets you easily define and manage different secret groups like qa or prod in a single yaml config file. It can also handle dir subtrees through wildcards * and write/read binary data via base64 encoding.

Example .secrets.yml:

---
vaults:
  vaultA:
    default: true
    address: "http://127.0.0.1:8200"
    bin: "my/path/to/vault"
    auth:
      method: "github"
      credential_file: "my/path/to/credentials"

  vaultB:
    address: "https://vault.b.int.company.local:8200"
    bin: "my/path/to/vault"
    auth:
      method: "github"
      credential_file: "my/path/to/credentials"

secrets:
  secretTree:
    lease_ttl: "2h"
    mappings:
    - local: "local/secretTree/*"
      vault: "secret/vaultTree/remote/*"

  binaryData:
    mappings:
    - local: "some/zip/file.zip"
      vault: "secret/file.zip"
      base64: true

  qa:
    lease_ttl: "1h"
    mod: 0600
    mappings:
    - local: "local/path/to/qa-foo"
      vault: "secret/qa/qa-foo"
    - local: "local/path/to/qa-bar"
      vault: "secret/qa/qa-bar"
      mod: 0755

  prod:
    mappings:
    - local: "local/path/to/prod-foo"
      vault: "secret/prod/prod-foo"

SaiDumLo handles reads/writes of your secret groups by using the vault client. Using sdl read qa synchronizes your local qa secrets with the current ones from the default vault (vaultA). sdl -b vaultB write prod writes your local prod secrets to vaultB.

Before reading/writing SaiDumLo authenticates with the vault by using the specified method. In the example .secrets.yml the github method is used, which requires a github auth token from your account. The auth credentials file must contain key/value pairs of the necessary parameters, e.g., for github:

github.credentials.auth:

token=<my-github-token>

For the userpass mechanism it should be:

userpass.credentials.auth:

username=<my-user>
password=<my-password>

Consult the vault auth documentation to see which parameters need to be specified in the credentials file for your auth method.

NOTE: Do not forget to add the auth credential file to your .gitignore!

Build and Test

make verify

Tested with vault 0.7.0 on Ubuntu Trusty.

About

🔒 A client site secret management tool primarily designed for ops repos.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 77.3%
  • Shell 17.0%
  • Makefile 5.5%
  • HCL 0.2%