Project

secrets_cli

0.02
No commit activity in last 3 years
No release in over 3 years
There's a lot of open issues
secrets_cliinfinum/secrets_cliHomepageDocumentationSource CodeBug TrackerWiki
This is a CLI for easier use of https://www.vaultproject.io/
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
183,118
Stars
25
Forks
6
Watchers
11
 Releases
Current version
1.12.3
Total releases
27
First release
2016-02-14
Latest release
2021-09-29
 Issues
Open Issues
7
Closed Issues
9
Total Issues
16
Issue Closure Rate
56%
 Pull Requests
Open Pull Requests
1
Closed Pull Requests
1
Merged Pull Requests
10
Pull Request Acceptance Rate
83%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2017-11-08
Reverse Dependencies
1

 Dependencies

Development

pry
>= 0
rspec
>= 0
bundler
>= 0
rake
>= 0

Runtime

commander
>= 0
tty-file
>= 0
tty-prompt
>= 0
vault
~> 0.7
 Project Readme

Gem Version

SecretsCli

This is a CLI for easier use of vault

There is also a mina plugin mina-secrets

Table of contents

  1. Installation
  2. Prerequisites
  3. Usage
    1. Init
    2. Policies
    3. Environments
    4. storage_keys and environments
    5. Read
    6. Edit
    7. Pull
    8. Push
  4. Development
  5. Contributing
  6. License

Installation

Add this line to your application's Gemfile:

gem 'secrets_cli'

And then execute:

$ bundle

Or install it yourself as:

$ gem install secrets_cli

Prerequisites

The following environment variables need to be set:

For vault itself:

VAULT_ADDR   - address to your vault server (can also be set through config)
VAULT_CACERT - if you have a self issued certificate, point this environment variable to the location of the root CA file

For secrets_cli:

VAULT_AUTH_METHOD - this is auth method ('github', 'token', 'app_id' and 'approle' supported for now)
VAULT_AUTH_TOKEN - this is vault auth token
VAULT_AUTH_APP_ID - machine app_id (for app_id auth)
VAULT_AUTH_USER_ID - machine user_id which matches app_id (for app_id auth)
VAULT_AUTH_ROLE_id - machine role_id (for approle auth)
VAULT_AUTH_SECRET_ID - machine secret_id which matches role_id (for approle auth)

For github token you only need read:org permissions.

Usage

All commands have --help with detailed descriptions of options. Some of the commands have --verbose switch which will print out the commands it run.

Init

$ secrets init

This will create .secrets file with project configuration. The command will ask you all it needs to know if you do not supply the config through options.

Example of the .secrets:

---
:secrets_file: config/application.yml   # Required; file where your secrets are kept, depending on your environment gem (figaro, dotenv, etc)
:secrets_storage_key: rails/my_project/ # Required; vault 'storage_key' where your secrets will be kept.
development:                            # Any configuration can be nested under environment
  :vault_addr: https://myvault.com      # Optional; vault url (default: VAULT_ADDR environment variable)

Policies

$ secrets policies

To get all the policies your auth grants please use this command.

Environments

$ secrets list

To get the list of all current environments please use this command.

storage_keys and environments

Next 3 commands read and write to your project storage_key in vault. The value of the storage_key is generated by secrets_storage_key + environment. Example:

  `rails/my_project/development`

Environment is development by default, but it can be overwriten by passing --environment option, or setting RAILS_ENV environment variable.

Read

$ secrets read

This will read development secrets from the vault.

To read secrets from a different environment, use the -e flag:

$ secrets read -e production

Edit

$ secrets edit

This will allow you to edit secrets on the fly. You choose which editor to use by defining an $EDITOR variable, otherwise it will use one of these: mate -w, vim, vi, emacs, nano, pico

The same flags apply for editing as for reading:

$ EDITOR='atom -w' secrets edit -e production

Pull

$ secrets pull

This will pull from vault and write to your secrets file. The deafult file it will pull is the development one.

To pull from a different environment, also supply the -e flag and the -f flag for the file path:

$ secrets pull -e production -f config/application.production.yml

You can also supply the --ci_mode or -y flag to disable prompts and outputs.

Push

$ secrets push

This will push from your secrets file to vault.

The same flags apply for pushing as for pulling:

$ secrets push -e production -f config/application.production.yml

Development

After checking out the storage_key, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/infinum/secrets_cli. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.