Envinject
Optionally inject variables into an environment structure that allows
reading like a 12 factor app, but without making the parameters available
via docker inspect. This allows injecting secrets without making it super
easy to obtain the secrets from the command line.
Currently supports
pulling AWS SSM Parameters with a given prefix into the environment.
The goal is to be able to write code that can get its configuration from
the environment, with the values in the environment potentially injected
with values from some configuration store like the AWS SSM Parameter
store.
Usage
For pass through use, simply instantiate InjectEnv with an empty
AWS_PARAM_STORE_PATH and use the methods on the InjectEnv type to read
configuration set as environment variables. This is useful
when using a container workflow that does not include the use of
AWS services.
To read parameter store variables, store the variables using a
prefix in front of each environment variable name (which serves as
a namespace or environment tag), set AWS_PARAM_STORE_PATH
to the prefix, and run your app reading environment config via the
InjectEnv type methods. You'll need to configure your
environment to pick up AWS credentials, which is done in the usual
way.
Note that parameter store variables are stored in InjectEnv without
the prefix. For example, if the code needs an environment variable
P1, and the environment the code run in tags variables with the
demo prefix (and uses demo for AWS_PARAM_STORE_PATH), then
P1 is made available via InjectEnv Getenv("P1").
Note that only the parameter store variables with the matching prefix
are made available by the InjectEnv instance. All others are ignore.
This allows using fine grained key management to assign different
IAM service roles to different components (if desired) to keep one
component from reading another component's secret config.
To illustrate how this works for tasks run on an ECS cluster, a
sample is provided. Built the sample via the provided Makefile, or just
use the image that has been pushed it docker.io as xtracdev/dumpos.
To run the sample locally, use the docker command line to inject
command line arguments, e.g.
docker run -e AWS_PARAM_STORE_PATH=inttest- \
-e AWS_REGION=us-east-1 \
-e AWS_ACCESS_KEY_ID= \
-e AWS_SECRET_ACCESS_KEY= \
xtracdev/dumpos:latest
Note that you can run the sample to use the local environment as well:
docker run \
-e FOO=fooval \
-e BAR=barval \
-e BAZ=yes-its-bazval \
xtracdev/dumpos:latest
To run the sample on ECS, some set up is required. First, if the log group
named in the task definition template is used, create it before running
the task, e.g.
aws logs create-log-group --log-group-name ecs-tasks
Next, you will need to create a role and some associated policies.
First you can create the role with the baseline assume role policy
document:
aws iam create-role --role-name dumpos --assume-role-policy-document file://ecs-tasks-trust-policy.json
Next, create a policy document that grants access to the parameters, and permissions to
access the decryption key used to decrypt the secret parameters. Customize the
params-access-template.json with your account number and rename it as shown in the
command below.
aws iam create-policy --policy-name config-params --policy-document file://param-access.json
Next, attach the above policy to the role you created:
aws iam attach-role-policy --role-name dumpos --policy-arn "arn:aws:iam::<account-id>:policy/config-params"
Next, seed some values to make the demo more interesting, e.g.
aws ssm put-parameter --name /myapp/test/PARAM1 --value 'Param 1 Value' --type String
aws ssm put-parameter --name /myapp/test/PARAM2 --value 'Param 2 Value' --type String
aws ssm put-parameter --name /myapp/test/PARAM3 --value 'Param 3 Value' --type String
aws ssm put-parameter --name /myapp/test/PARAM4 --value 'Param 4 Value' --type String
aws ssm put-parameter --name /myapp/test/PARAM5 --value 'Param 5 Value' --type String
For grins, create an encryption key, and store and encrypted parameter:
aws kms create-key --description sample-key
aws ssm put-parameter --name /myapp/test/my_secret --value 'loose lips sink ships' --type SecureString --key-id
Copy the task definition template and customize it for your setup. Minimally
you will have to provide your own account number. When the task definition is complete,
load the definition.
aws ecs register-task-definition --cli-input-json file://$PWD/taskdef.json
You can the run your task
aws ecs run-task --cluster DemoCluster --task-definition dumpos
You should see the parameter values created above in the log output.
time="2017-04-14T04:41:00Z" level=info msg="Looking for parameters starting with sample."
time="2017-04-14T04:41:00Z" level=info msg="Create AWS session"
time="2017-04-14T04:41:00Z" level=info msg="skipping dev.p1"
time="2017-04-14T04:41:00Z" level=info msg="skipping prod.p1"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.1 as 1"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.10 as 10"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.11 as 11"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.12 as 12"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.13 as 13"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.14 as 14"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.15 as 15"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.16 as 16"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.17 as 17"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.18 as 18"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.19 as 19"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.2 as 2"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.20 as 20"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.21 as 21"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.22 as 22"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.23 as 23"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.24 as 24"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.25 as 25"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.3 as 3"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.4 as 4"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.5 as 5"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.6 as 6"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.7 as 7"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.8 as 8"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.9 as 9"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.PARAM4 as PARAM4"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.PARAM5 as PARAM5"
time="2017-04-14T04:41:00Z" level=info msg="Injecting sample.my_secret as my_secret"
time="2017-04-14T04:41:00Z" level=info msg="HOSTNAME=0dba3fee938f"
time="2017-04-14T04:41:00Z" level=info msg="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
time="2017-04-14T04:41:00Z" level=info msg="AWS_PARAM_STORE_PATH=sample."
time="2017-04-14T04:41:00Z" level=info msg="AWS_REGION=eu-west-1"
time="2017-04-14T04:41:00Z" level=info msg="AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/976dde59-36c8-4898-b362-e291d3eba9f3"
time="2017-04-14T04:41:00Z" level=info msg="HOME=/"
time="2017-04-14T04:41:00Z" level=info msg="1=Value1"
time="2017-04-14T04:41:00Z" level=info msg="10=Value10"
time="2017-04-14T04:41:00Z" level=info msg="11=Value11"
time="2017-04-14T04:41:00Z" level=info msg="12=Value12"
time="2017-04-14T04:41:00Z" level=info msg="13=Value13"
time="2017-04-14T04:41:00Z" level=info msg="14=Value14"
time="2017-04-14T04:41:00Z" level=info msg="15=Value15"
time="2017-04-14T04:41:00Z" level=info msg="16=Value16"
time="2017-04-14T04:41:00Z" level=info msg="17=Value17"
time="2017-04-14T04:41:00Z" level=info msg="18=Value18"
time="2017-04-14T04:41:00Z" level=info msg="19=Value19"
time="2017-04-14T04:41:00Z" level=info msg="2=Value2"
time="2017-04-14T04:41:00Z" level=info msg="20=Value20"
time="2017-04-14T04:41:00Z" level=info msg="21=Value21"
time="2017-04-14T04:41:00Z" level=info msg="22=Value22"
time="2017-04-14T04:41:00Z" level=info msg="23=Value23"
time="2017-04-14T04:41:00Z" level=info msg="24=Value24"
time="2017-04-14T04:41:00Z" level=info msg="25=Value25"
time="2017-04-14T04:41:00Z" level=info msg="3=Value3"
time="2017-04-14T04:41:00Z" level=info msg="4=Value4"
time="2017-04-14T04:41:00Z" level=info msg="5=Value5"
time="2017-04-14T04:41:00Z" level=info msg="6=Value6"
time="2017-04-14T04:41:00Z" level=info msg="7=Value7"
time="2017-04-14T04:41:00Z" level=info msg="8=Value8"
time="2017-04-14T04:41:00Z" level=info msg="9=Value9"
time="2017-04-14T04:41:00Z" level=info msg="PARAM4=Param 4 Value"
time="2017-04-14T04:41:00Z" level=info msg="PARAM5=Param 5 Value"
time="2017-04-14T04:41:00Z" level=info msg="my_secret=loose lips sink ships"
Note the decrypted read of sample.my_secret.
Notes
Your base container needs to have the right CA certs to allow AWS services
to be called. Consider using scratchy
for golang images, which is the scratch image plus CA certs.
Contributing
To contribute, you must certify you agree with the Developer Certificate of Origin
by signing your commits via git -s
. To create a signature, configure your user name and email address in git.
Sign with your real name, do not use pseudonyms or submit anonymous commits.
In terms of workflow:
- For significant changes or improvement, create an issue before commencing work.
- Fork the respository, and create a branch for your edits.
- Add tests that cover your changes, unit tests for smaller changes, acceptance test
for more significant functionality.
- Run gofmt on each file you change before committing your changes.
- Run golint on each file you change before committing your changes.
- Make sure all the tests pass before committing your changes.
- Commit your changes and issue a pull request.
License
(c) 2017 Fidelity Investments
Licensed under the Apache License, Version 2.0