exec-with-secrets supports the following services as secrets providers:

• AWS Key Management (KMS)
• AWS Systems Manager Parameter Store (SSM)
• AWS Secrets Manager
• Azure Key Vault

This utility looks for prefixed variables in environment and replaces them with secret values:

• {aws-kms}AQICAHjA3mwbmf... - decrypts the value using AWS KMS
• {aws-ssm}/app/param - loads parameter /app/param from AWS Systems Manager Parameter Store
• {aws-sm}/app/param - loads secret /app/param from AWS Secrets Manager
• {aws-sm}/app/param[prop1] - loads secret /app/param from AWS Secrets Manager and takes prop1 property
• {az-kv}vault/name - loads secret name from Azure Key Vault vault

After decrypting secrets it runs exec system call, replacing itself with your app. The app can simply access decrypted secrets in the environment.

Basic example:

SECRET="{aws-ssm}/my/secret" exec-with-secrets myapp # SECRET value is in myapp environment

Build the example Docker image:

make docker

Run:

docker run -e PARAM="text" -e KMS_PARAM="{aws-kms}c2VjcmV0" exec-with-secrets-example echo $KMS_PARAM

You need to put a real KMS-encrypted value and pass AWS credentials to the container.

• KMS_PARAM will be decrypted and passed to echo as an environment variable
• PARAM will be passed without modifications

You can adapt Dockerfile for your use-case. Use exec-with-secrets just like the regular exec. For example, run a Java application with:

CMD exec-with-secrets java -jar myapp.jar

Note that the decrypted secrets are only visible to your application. docker inspect will show encrypted values

Your container should have appropriate permissions to the secrets provider.

• The default AWS credentials chain is used
• Azure authorizer from environment variables/MSI
• Azure authorizer from configuration file, if the file is set using AZURE_AUTH_LOCATION variable

make builds Linux and Mac binaries with all providers.

To chose providers (for example only AWS SSM), run:

make TAGS=awsssm

See example PR: #1