Remote Secret Editor for AWS Secret Manager

Related tags

Utilities barberousse
Overview

Barberousse - Remote Secrets Editor

barblogo

About

badge

A project aimed to avoid downloading secrets from remote providers (support only AWS Secret Manager for the moment). Opens an editor with the content of the secret readily editable, upon save & exit, the secret is automatically uploaded and a new version created remotely. This way, no need to use common bad-practices such as versionning secrets in a VCS or worst, storing them on your machine and sending them via slack :)

Note
This project is at its earliest stage a project can be, i.e. a proof of concept that might or not develop into a full fledged project.

Usage

Options

Just like awscli, you can customize the profile and region to use:

OPTIONS:
  -P, --profile <profile>    Use a specific aws profile, overrides config and env settings

  -R, --region <region>      The region where the secret is, overrides config and env settings

These are global options, and can be set anywhere in the command.

Printing

Cat your secret in a nice format into stdout

By default the remote secret is read as a json secret and printed in yaml for ease of read. However, you can customize this behavior to your choosing by passing the print format defining how you want your secrets to be formatted, and secret format defining the format of the remote secret.

ARGS:
    <secret-id>    The id of the secret to print

FLAGS:
  -n, --no-color    Do not color the output, this behavior is the same as when piping to another program


OPTIONS:
  -p, --print-format <print-format>      The format used to print the secret, if the secret's
                                         format is `text`, this will be ignored and defaults to
                                         `text` too [default: yaml]
                                         [possible values: json, yaml, text]

  -s, --secret-format <secret-format>    The format of the secret's remote storage [default: json]
                                         [possible values: json, yaml, text]

The output is pretty-printed, and color highlighted by default. Disable that by using --print-format=text

  • YAML output (default)

    ❯❯❯ barberousse cat /test/file --print-format yaml
  1 │ ---
  2 │ a: secret
  3 │ another: secret value

  • JSON output

    ❯❯❯ barberousse cat /test/file --print-format json
  1 │ {
  2 │   "a": "secret",
  3 │   "another": "secret value"
  4 │ }

  • JSON output piped to jq

    ❯❯❯ barberousse cat /test/file --print-format json | jq -r '.a'
secret

How it may look like on your terminal: barbcat

Editing

Allows you to edit a remote secret without saving it on disk (a temp file is created though…​ a more secure way to handle temp files will come in the future, see #3). You can use different formats to edit your secret (json, yaml, plain text).

ARGS:
  <secret-id>    The id of the secret to edit

OPTIONS:
  -e, --edit-format <edit-format>      The format used to edit the secret, if the secret's
                                       format is `text`, this will be ignored and defaults
                                       to `text` too [default: yaml]
                                       [possible values: json, yaml, text]

  -s, --secret-format <secret-format>  The format of the secret's remote storage [default: json]
                                       [possible values: json, yaml, text]

  --editor <editor>                    Override the default editor, $EDITOR, used for
                                       editing the secret

  • To edit in YAML a JSON secret (default):

    ❯❯❯ barberousse edit /test/file --edit-format yaml --secret-format json

  • To edit in JSON a JSON secret:

    ❯❯❯ barberousse edit /test/file --edit-format json --secret-format json

How it may look like on your terminal: barbedit

Copying

By copying a secret, you can customize them for different usage. Use this feature wisely as it may lead to re-using the secrets and this is not a good practice.

ARGS:
  <secret-id>    The id of the secret to copy
  <target-id>    The id of the secret to create

OPTIONS:
  -e, --edit-format <edit-format>      The format used to edit the secret, if the secret's
                                       format is `text`, this will be ignored and defaults
                                       to `text` too [default: yaml]
                                       [possible values: json, yaml, text]

  -s, --secret-format <secret-format>  The format of the secret's remote storage [default: json]
                                       [possible values: json, yaml, text]

  --editor <editor>                    Override the default editor, $EDITOR, used for
                                       editing the secret

  --target-region <target-region>      Use a different region for the target secret

  • To copy a JSON secret and edit it in YAML (default):

    ❯❯❯ barberousse copy /test/file /test/file2

  • To copy a secret from one region to another:

    ❯❯❯ barberousse copy /test/file /test/file2 --region eu-west-1 --target-region eu-west-3

RoadMap

1.0

We’re almost there!

  • ✓ General

    • ✓ Support selecting profiles and regions (env variables are supported though)

  • ✓ Editing

    • ✓ Edit JSON, YAML, text

    • ✓ Edit JSON using YAML (default behavior)

    • ✓ Edit <format> using <another format>

    • ✓ Create a secret if not exist

    • ✓ Custom editor selection, pass --editor

  • ✓ Printing

    • ✓ Cat the content of a secret in one or many other formats

  • ✓ Copy

    • ✓ Duplicate a secret (and open an editor before saving the copy)

    • ✓ Support cross region

1.1

Some extra features to edit non-content info. This should be more an interactive process overall otherwise it would not make sense to have them as the aws cli already provides a good api to do exactly that.

  • Edit secret’s metadata (description and KMS key): replaces the update-secret --description "" --kms-key-id ""

  • Print secret’s metadata

Future

Open to suggestions!

You might also like...
cargo-lambda a Cargo subcommand to help you work with AWS Lambda

cargo-lambda cargo-lambda is a Cargo subcommand to help you work with AWS Lambda. This subcommand compiles AWS Lambda functions natively and produces

David Calavera 184 Jan 5, 2023
cargo-lambda is a Cargo subcommand to help you work with AWS Lambda.

cargo-lambda cargo-lambda is a Cargo subcommand to help you work with AWS Lambda. The new subcommand creates a basic Rust package from a well defined

null 184 Jan 5, 2023
A Rust runtime for AWS Lambda

Rust Runtime for AWS Lambda This package makes it easy to run AWS Lambda Functions written in Rust. This workspace includes multiple crates: lambda-ru

Amazon Web Services - Labs 2.4k Dec 29, 2022
Managing schema for AWS Athena in GitOps-style

athena-rs Managing AWS Athena Schemas Installation $ cargo install --git https://github.com/duyet/athena-rs $ athena --help athena 0.1.0 Duyet me@du

Duyet Le 3 Sep 25, 2022
Nitrogen - a tool for deploying web services to AWS Nitro Enclaves

Nitrogen CLI Nitrogen is a tool for deploying web services to AWS Nitro Enclaves. Given a dockerfile and an ssh key, Nitrogen will spin up an EC2, con

Cape Privacy 57 Dec 26, 2022
This repo is a sample video search app using AWS services.
This repo is a sample video search app using AWS services.

Video Search This repo is a sample video search app using AWS services. You can check the demo on this link. Features Transcribing Video and generate

AWS Samples 8 Jan 5, 2023
Serverless search for AWS.

Pathery 🔥 Serverless Search 🔥 Pathery is a serverless search service built on AWS using Rust, CDK and Tantivy. 🔔 WARNING: This is currently a work

Tyler van Hensbergen 40 Jan 3, 2023
This repo scans pypi, rubygems and hexpm for AWS keys

What is this? This is a project to try to detect any AWS access keys that are accidentally uploaded to the Python Package Index (PyPi). New uploads ar

Tom Forbes 80 Jan 28, 2023
Backup a folder to AWS S3, once or periodically

awsbck This utility lets you compress a folder and upload it to a AWS S3 bucket, once or periodically. Disclaimer This software is in a beta stage and

Valentin Bersier 4 Feb 11, 2023
Comments
  • Parse editor by spaces

    Parse editor by spaces

    In my machine I am using code --wait as my EDITOR env variable.

    If I want to edit secret with barberousse edit mysecret its failing. Because in Command::new(args[0]) section rust searching code --wait file to execute but its not a file code is.

    Because of it I added come logic to parse EDITOR variable by spaces and apply as arg

    opened by TheYkk 2
  • Securely store the tempfiles

    Securely store the tempfiles

    The temp file should not be stored in /tmp/ as this is not a good & secure practice when using a shared computer: https://github.com/zeapo/barberousse/blob/2f1f81c2abc3360c44778c0fb58411506577d7f3/src/edit.rs#L52-L55

    An idea would be to use /dev/shm, create a temp folder in it with permissions 600 and create the temp files in there.

    enhancement 
    opened by zeapo 0
Releases(0.2.0)
Owner
Mohamed Zenadi
Software Engineer @WattSense
Mohamed Zenadi
GitHub
Rs.aws-login - A command line utility to simplify logging into AWS services.

aws-login A command line utility to simplify logging into AWS accounts and services. $ aws-login use ? Please select a profile to use: › ❯ dev-read

Kevin Herrera 11 Oct 30, 2022
Rust client for AWS Infinidash service.

AWS Infinidash - Fully featured Rust client Fully featured AWS Infinidash client for Rust applications. You can use the AWS Infinidash client to make

Rafael Carício 15 Feb 12, 2022
Rusoto is an AWS SDK for Rust

Rusoto is an AWS SDK for Rust You may be looking for: An overview of Rusoto AWS services supported by Rusoto API documentation Getting help with Rusot

null 2.6k Jan 3, 2023
Easy switch between AWS Profiles and Regions

AWSP - CLI To Manage your AWS Profiles! AWSP provides an interactive terminal to interact with your AWS Profiles. The aim of this project is to make i

KubeOps Skills 14 Dec 25, 2022
Simple fake AWS Cognito User Pool API server for development.

Fakey Cognito ?? Homepage Simple fake AWS Cognito API server for development. ✅ Implemented features AdminXxx on User Pools API. Get Started # run wit

naokirin 4 Aug 30, 2022
Postgres proxy which allows tools that don't natively supports IAM auth to connect to AWS RDS instances.

rds-iamauth-proxy rds-proxy lets you make use of IAM-based authentication to AWS RDS instances from tools that don't natively support that method of a

Gold Fig Labs Inc. 10 Nov 7, 2022
A tool to run web applications on AWS Lambda without changing code.

AWS Lambda Adapter A tool to run web applications on AWS Lambda without changing code. How does it work? AWS Lambda Adapter supports AWS Lambda functi

AWS Samples 321 Jan 2, 2023
Cookiecutter templates for Serverless applications using AWS SAM and the Rust programming language.

Cookiecutter SAM template for Lambda functions in Rust This is a Cookiecutter template to create a serverless application based on the Serverless Appl

AWS Samples 24 Nov 11, 2022
📦 🚀 a smooth-talking smuggler of Rust HTTP functions into AWS lambda

lando ?? maintenance mode ahead ?? As of this announcement AWS not officialy supports Rust through this project. As mentioned below this projects goal

Doug Tangren 68 Dec 7, 2021
Ref Arch: Serverless GraphQL in Rust on AWS

A Whole Hog Reference Architecture for an Apollo Federation-Ready, Serverless, Rust-Based GraphQL Microservice on AWS using Cloud Development Kit (CDK)

Michael Edelman 3 Jan 12, 2022