vestibule

A gosu port which will load secrets from various secrets backends into the environment before exec'ing your baby.

Providers

Enable providers by setting VEST_PROVIDERS in the environment before running vest

Available providers:

• vault (enabled by default)
• sops
• ejson
• plain old .env files

Images

Alpine and Ubuntu based docker images are available at quay.io/lumoslabs/vestibule

Building

This project uses goreleaser for building and publishing. Install instructions for goreleaser are here.

The handy Makefile here provides targets:

• snapshot: Use goreleaser to make an unpublished snapshot build
• release: Use goreleaser to cut and publish a real release
• test: Run go tests
• test-race: Run go tests with -race
• test-memory: Run go tests with -msan
• test-all: Run all tests
• linux: Use go build to build vestibule for linux
• darwin: Use go build to build vestibule for darwin

Usage

Usage: vest user-spec command [args]
  eg: vest myuser bash
      vest nobody:root bash -c 'whoami && id'
      vest 1000:1 id

  Environment Variables:

    VEST_DEBUG
      Enable debug logging.

    VEST_PROVIDERS
      Comma separated list of enabled providers. By default only Vault is
      enabled. Available providers: [dotenv ejson vault sops]

    VEST_UPCASE_VAR_NAMES
      Upcase environment variable names gathered from secret providers. Default:
      true

    VEST_USER
      The user [and group] to run the command as. Overrides commandline if set.
      e.g. VEST_USER=user[:group]

    VEST_VERBOSE
      Enable verbose logging.

    AWS_PROFILE
      AWS profile to use in the shared credentials file. Defaults to "default"

    AWS_SHARED_CREDENTIALS_FILE
      Path to the AWS shared credentials file to write credentials to. Defaults
      to "/var/run/aws/credentials"

    GOOGLE_CREDENTIALS_FILE
      Path to the GCP service account credentials file to create. Defaults to
      "/var/run/gcp/creds.json"

    VAULT_*
      All vault client configuration environment variables are respected. More
      information at
      https://www.vaultproject.io/docs/commands/#environment-variables

    VAULT_APP_JWT
      The jwt for use with OIDC/JWT authentication

    VAULT_APP_ROLE
      Either the role id for AppRole authentication, or the role name fo
      Kubernetes authentication.

    VAULT_APP_SECRET
      The secret id for use with AppRole authentication

    VAULT_AUTH_DATA
      Data payload to send with authentication request. JSON object.

    VAULT_AUTH_METHOD
      Authentication method for vault. Default is "kubernetes".

    VAULT_AUTH_PATH
      Authentication path for vault authentication - e.g. okta/login/:user.
      Overrides VAULT_AUTH_METHOD if set.

    VAULT_AWS_PATH
      Mountpoint for the vault AWS secret engine. Defaults to "aws".

    VAULT_AWS_ROLE
      Name of the aws role to generate credentials against. If credentials are
      returned, the access key and secret key will be injected into the process
      environment using the standard environment variables and a credentials
      file will be written to the path from AWS_SHARED_CREDENTIALS_FILE (by
      default "/var/run/aws/credentials")

    VAULT_GCP_CRED_TYPE
      GCP credential type to generate. Defaults to key. Accepted values are
      [token key]

    VAULT_GCP_PATH
      Mountpoint for the vault GCP secret engine. Defaults to "gcp".

    VAULT_GCP_ROLE
      Name of the GCP role in vault to generate credentials against.

    VAULT_IAM_ROLE
      [DEPRECATED] Name of the aws role to generate credentials against.

    VAULT_KV_KEYS
      If VAULT_KV_KEYS is set, will iterate over each key (colon separated),
      attempting to get the secret from Vault. Secrets are pulled at the
      optional version or latest, then injected into Environ. If running in
      Kubernetes, the Pod's ServiceAccount token will automatically be looked up
      and used for Vault authentication. e.g.
      VAULT_KV_KEYS=/path/to/key1[@version]:/path/to/key2[@version]:...

    DOTENV_FILES
      if DOTENV_FILES is set, will iterate over each file, parse and inject into
      Environ. If DOTENV_FILES is not set, will look for any .env files in CWD.
      e.g. DOTENV_FILES=/path/to/file1:/path/to/file2:...

    EJSON_FILES
      If EJSON_FILES is set, will iterate over each file (colon separated),
      attempting to decrypt using keys from EJSON_KEYS. If EJSON_FILES is not
      set, will look for any .ejson files in CWD. Cleartext decrypted json will
      be parsed into a map[string]string and injected into Environ. e.g.
      EJSON_FILES=/path/to/file1:/path/to/file2:...

    EJSON_KEYS
      Colon separated list of public/private ejson keys. Public/private keys
      separated by semicolon. e.g.
      EJSON_KEYS=pubkey1;privkey1:pubkey2;privkey2:...

    SOPS_FILES
      If SOPS_FILES is set, will iterate over each file (colon separated),
      attempting to decrypt with Sops. The decrypted cleartext file can be
      optionally written out to a separate location (with optional filemode) or
      will be parsed into a map[string]string and injected into Environ e.g.
      SOPS_FILES=/path/to/file[;/path/to/output[;mode]]:...

Writing to a file

Sometimes you just need credentials to be on disk, amirite?

If so, you can run bule to write gathered secrets to a given file in a given format. All provider environment variables from vest are also applicable with bule

e.g. VAULT_KV_KEYS=secret/db-creds bule /var/secrets/db-creds.json

usage: bule [<flags>] <file>

Write secrets to a file! What could go wrong?

Flags:
  -h, --help                Show context-sensitive help (also try --help-long and --help-man).
  -D, --debug               Debug output
  -v, --verbose             Verbose output
  -F, --format=json         Format of the output file. Available formats: [dotenv env json toml yaml yml]
  -p, --provider=vault ...  Secret provider. Can be used multiple times. Available providers: [dotenv ejson vault sops]
      --upcase-var-names    Upcase environment variable names gathered from secret providers.
      --version             Show application version.

Args:
  <file>  Path of output file