Readme
Barberousse - Remote Secrets Editor
:toc:
:toc-title:
About
A project aimed to avoid downloading secrets from remote providers (support only AWS Secret Manager for the moment).
Opens an editor with the content of the secret readily editable, upon save & exit, the secret is automatically uploaded
and a new version created remotely. This way, no need to use common bad-practices such as versionning secrets in a VCS
or worst, storing them on your machine and sending them via slack :)
NOTE: This project is at its earliest stage a project can be, i.e. a proof of concept that might or not develop into a full
fledged project.
Usage
Options
Just like awscli, you can customize the profile and region to use:
....
OPTIONS:
-P, --profile Use a specific aws profile, overrides config and env settings
-R, --region The region where the secret is, overrides config and env settings
....
These are global options, and can be set anywhere in the command.
Printing
Cat your secret in a nice format into stdout
By default the remote secret is read as a json secret and printed in yaml for ease of read. However, you can customize
this behavior to your choosing by passing the print format defining how you want your secrets to be formatted, and
secret format defining the format of the remote secret.
....
ARGS:
The id of the secret to print
FLAGS:
-n, --no-color Do not color the output, this behavior is the same as when piping to another program
OPTIONS:
-p, --print-format The format used to print the secret, if the secret's
format is text , this will be ignored and defaults to
text too [default: yaml]
[possible values: json, yaml, text]
-s, --secret-format The format of the secret's remote storage [default: json]
[possible values: json, yaml, text]
....
The output is pretty-printed, and color highlighted by default. Disable that by using --print -format =text
❯❯❯ barberousse cat /test/file --print-format yaml
1 │ ---
2 │ a: secret
3 │ another: secret value
❯❯❯ barberousse cat /test/file --print-format json
1 │ {
2 │ "a": "secret",
3 │ "another": "secret value"
4 │ }
❯❯❯ barberousse cat /test/file --print-format json | jq -r '.a'
secret
How it may look like on your terminal:
Editing
Allows you to edit a remote secret without saving it on disk (a temp file is created though... a more secure way to
handle temp files will come in the future, see #3). You can use different formats to edit your secret (json, yaml, plain text).
....
ARGS:
The id of the secret to edit
OPTIONS:
-e, --edit-format The format used to edit the secret, if the secret's
format is text , this will be ignored and defaults
to text too [default: yaml]
[possible values: json, yaml, text]
-s, --secret-format The format of the secret's remote storage [default: json]
[possible values: json, yaml, text]
--editor Override the default editor, $EDITOR, used for
editing the secret
....
To edit in YAML a JSON secret (default):
❯❯❯ barberousse edit /test/file --edit-format yaml --secret-format json
To edit in JSON a JSON secret:
❯❯❯ barberousse edit /test/file --edit-format json --secret-format json
How it may look like on your terminal:
Copying
By copying a secret, you can customize them for different usage. Use this feature wisely as it may lead to re-using
the secrets and this is not a good practice.
....
ARGS:
The id of the secret to copy
The id of the secret to create
OPTIONS:
-e, --edit-format The format used to edit the secret, if the secret's
format is text , this will be ignored and defaults
to text too [default: yaml]
[possible values: json, yaml, text]
-s, --secret-format The format of the secret's remote storage [default: json]
[possible values: json, yaml, text]
--editor Override the default editor, $EDITOR, used for
editing the secret
--target-region Use a different region for the target secret
....
To copy a JSON secret and edit it in YAML (default):
❯❯❯ barberousse copy /test/file /test/file2
To copy a secret from one region to another:
❯❯❯ barberousse copy /test/file /test/file2 --region eu-west-1 --target-region eu-west-3
RoadMap
1.0
We're almost there!
1.1
Some extra features to edit non-content info. This should be more an interactive
process overall otherwise it would not make sense to have them as the aws cli
already provides a good api to do exactly that.
Edit secret's metadata (description and KMS key): replaces the update- secret - - description " " - - kms- key- id " "
Print secret's metadata
Future
Open to suggestions!