• Stars
    star
    687
  • Rank 65,799 (Top 2 %)
  • Language
    Go
  • License
    MIT License
  • Created over 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CLI that provides on-demand secrets access for common DevOps tools

summon

GitHub release

Github commits (since latest release)


summon is a command-line tool to make working with secrets easier.

It provides an interface for

  • Reading a secrets.yml file
  • Fetching secrets from a trusted store
  • Exporting secret values to a sub-process environment

Install

Note installing summon alone is not sufficient; you need to also install a provider of your choice before it's ready for use.

Pre-built binaries and packages are available from GitHub releases here.

Using Summon with Conjur Open Source

Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.

Homebrew

brew tap cyberark/tools
brew install summon

Linux (Debian and Red Hat flavors)

deb and rpm files are attached to new releases. These can be installed with dpkg -i summon_v*.deb and rpm -ivh summon_v*.rpm, respectively.

Auto Install

Note Check the release notes and select an appropriate release to ensure support for your version of Conjur.

Use the auto-install script. This will install the latest version of summon. The script requires sudo to place summon in /usr/local/bin.

curl -sSL https://raw.githubusercontent.com/cyberark/summon/main/install.sh | bash

Manual Install

Otherwise, download the latest release and extract it to /usr/local/bin/summon.

Usage

By default, summon will look for secrets.yml in the directory it is called from and export the secret values to the environment of the command it wraps.

Example

You want to run a script that requires AWS keys to list your EC2 instances.

Define your keys in a secrets.yml file

AWS_ACCESS_KEY_ID: !var aws/iam/user/robot/access_key_id
AWS_SECRET_ACCESS_KEY: !var aws/iam/user/robot/secret_access_key

The script uses the Python library boto, which looks for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in the environment.

import boto
botoEC2 = boto.connect_ec2()
print(botoEC2.get_all_instances())

Wrap the Python script in summon:

summon python listEC2.py

python listEC2.py is the command that summon wraps. Once the Python program exits, the secrets stored in temp files and in the Python process environment are gone.

secrets.yml Flags

Currently, you can define how the value of a variable will be processed using YAML tags. Multiple tags can be defined per variable by spearating them with :. By default, values are resolved as literal values.

  • !file: Resolves the variable value, places it into a tempfile, and returns the path to that file.
  • !var: Resolves the value as a variable ID from the provider.
  • !str: Resolves the value as a literal (default).
  • !default='<value>': If the value resolution returns an empty string, use this literal value instead for it.

Examples

# Resolved summon-env string (eg. `production/sentry/api_key`) is sent to the provider
# and the value returned is saved in the variable.
API_KEY: !var $env/sentry/api_key

# Resolved summon-env string (eg. `production/aws/ec2/private_key`) is sent to the provider.
# The returned value is put into a tempfile and the path for that file is saved in the
# variable.
API_KEY_PATH: !file:var $env/aws/ec2/private_key

# Literal value `my content` is saved into a tempfile and the path for that file is saved
# in the variable.
SECRET_DATA: !file my content

# Resolved summon-env string (eg. `production/sentry/api_user`) is sent to the provider.
# The returned value is put into a tempfile. If the value from the provider is an empty
# string then the default value (`admin`) is put into that tempfile. The path to that
# tempfile is saved in the variable.
API_USER: !var:default='admin':file $env/sentry/api_user

Default values

Default values can be set by using the default='yourdefaultvalue' as an addtional tag on the variable:

VARIABLE_WITH_DEFAULT: !var:default='defaultvalue' path/to/variable

Flags

summon supports a number of flags.

  • -p, --provider <path-to-provider> specify the path to the provider summon should use.

    If you do not provide Summon with the full path to the provider, Summon will look for the named executable in the directory defined by the SUMMON_PROVIDER_PATH environment variable. If this environment variable is not set, Summon will look by default at /usr/local/lib/summon on Linux / Mac or %ProgramW6432%\Cyberark Conjur\Summon\Providers on Windows.

  • -f <path> specify a location to a secrets.yml file, default 'secrets.yml' in current directory.

  • --up searches for secrets.yml going up, starting from the current working directory.

    Stops at the first file found or when the root of the current file system is reached. This allows to be at any directory depth in a project and simply do summon -u <command>.

  • -D 'var=value' causes substitution of value to $var.

    You can use the same secrets.yml file for different environments, using -D to substitute variables. This flag can be used multiple times.

    Example

    summon -D ENV=production --yaml 'SQL_PASSWORD: !var env/$ENV/db-password' deploy.sh
    
  • --yaml <YAML-string> Passes secrets.yml as a literal string.

    This flag is used to pass a literal YAML string to the provider in place of the secrets.yml file (see example above).

  • -i, --ignore <path-to-provider> A secret path for which to ignore provider errors.

    This flag can be useful for when you have secrets that you don't need access to for development. For example API keys for monitoring tools. This flag can be used multiple times.

  • -I, --ignore-all A boolean to ignore any missing secret paths.

    This flag can be useful when the underlying system that's going to be using the values implements defaults. For example, when using summon as a bridge to confd.

  • -V, --all-provider-versions List of all of the providers in the default path and their versions (if they have the --version tag).

  • -v, --version Print the Summon version.

  • -e, --environment Specify section (environment) to parse from secret YAML.

    This flag specifies which specific environment/section to parse from the secrets YAML file (or string). In addition, it will also enable the usage of a common (or default) section which will be inherited by other sections/environments. In other words, if your secrets.yaml looks something like this:

common:
  DB_USER: db-user
  DB_NAME: db-name
  DB_HOST: db-host.example.com

staging:
  DB_PASS: some_password

production:
  DB_PASS: other_password

Doing something along the lines of: summon -f secrets.yaml -e staging printenv | grep DB_, summon will populate DB_USER, DB_NAME, DB_HOST with values from common and set DB_PASS to some_password.

Note: default is an alias for common section. You can use either one.

  • -h View help and all flags.

env-file

Using Docker? When you run summon it also exports the variables and values from secrets.yml in VAR=VAL format to a memory-mapped file, its path made available as @SUMMONENVFILE.

You can then pass secrets to your container using Docker's --env-file flag like so:

summon docker run --env-file @SUMMONENVFILE myorg/myimage

This file is created on demand - only when @SUMMONENVFILE appears in the arguments of the command summon is wrapping. This feature is not Docker-specific; if you have another tools that reads variables in VAR=VAL format you can use @SUMMONENVFILE just the same.

Fixed tempfile name

There are times when you would like to have certain secrets values available at fixed locations, e.g. /etc/ssl/cert.pem for an SSL certificate. This can be accomplished by using symbolic links as described in the symbolic link example.

Contributing

For more info on contributing, please see CONTRIBUTING.md.

Troubleshooting

For assistance with some issues encountered when first using Summon, please refer to the troubleshooting guide in CONTRIBUTING.md.

Can't find your problem in the troubleshooting guide? File an issue or ask us on Discourse.

License

Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.

Summon is available under the MIT License.

More Repositories

1

KubiScan

A tool to scan Kubernetes cluster for risky permissions
Python
1,310
star
2

SkyArk

SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
PowerShell
862
star
3

ACLight

A script for advanced discovery of Privileged Accounts - includes Shadow Admins
PowerShell
783
star
4

conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
Ruby
760
star
5

kubeletctl

A client for kubelet
Go
730
star
6

bash-lib

Library for bash utility methods and tools
Shell
656
star
7

PipeViewer

A tool that shows detailed information about named pipes in Windows
C#
551
star
8

DLLSpy

DLL Hijacking Detection Tool
C++
481
star
9

zBang

zBang is a risk assessment tool that detects potential privileged account threats
C#
332
star
10

shimit

A tool that implements the Golden SAML attack
Python
331
star
11

RPCMon

RPC Monitor tool based on Event Tracing for Windows
C#
317
star
12

Evasor

A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
C#
309
star
13

BlobHunter

Find exposed data in Azure with this public blob scanner
Python
306
star
14

RiskySPN

Detect and abuse risky SPNs
PowerShell
258
star
15

secretless-broker

Secure your apps by making them Secretless
Go
234
star
16

White-Phoenix

A tool to recover content from files encrypted with intermittent encryption
Python
218
star
17

kubernetes-rbac-audit

Tool for auditing RBACs in Kubernetes
Python
215
star
18

MITM_Intercept

A little bit less hackish way to intercept and modify non-HTTP protocols through Burp & others.
Python
201
star
19

epv-api-scripts

These API scripts enable CyberArk users to automate privileged account management task like account creation, user management, and more.
PowerShell
197
star
20

ketshash

A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
PowerShell
168
star
21

rdpfuzz

Tools for fuzzing RDP
C
122
star
22

SkyWrapper

SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
Python
104
star
23

EasyPeasy

Find accounts using common and default passwords in Active Directory.
PowerShell
65
star
24

pas-on-cloud

CyberArk Privileged Access Security on Cloud
Python
60
star
25

ansible-security-automation-collection

CyberArk Ansible Security Automation Collection
Python
60
star
26

CYBRHardeningCheck

A utility to check CyberArk component servers hardening status
PowerShell
53
star
27

summon-aws-secrets

Summon provider for AWS Secrets Manager
Go
52
star
28

cyberark-aws-auto-onboarding

Solutions for automatically detecting, managing and securing privileged accounts in AWS EC2
Python
40
star
29

pas-orchestrator

CyberArk Privileged Access Security automatic deployment using Ansible
Python
38
star
30

summon-conjur

CyberArk Conjur provider for Summon
Go
38
star
31

ansible-modules

Ansible Modules for CyberArk Privileged Account Security Web Service SDK
Python
37
star
32

conjur-quickstart

Start securing your secrets and infrastructure by installing Conjur, using Docker and the official Conjur containers on DockerHub.
Shell
33
star
33

malware-research

C++
33
star
34

Fuzzer-V

C
30
star
35

sidecar-injector

Sidecar Injector for the Conjur Kubernetes Authenticator and Secretless
Go
29
star
36

ChattyCaty

JavaScript
28
star
37

conjur-oss-helm-chart

Helm chart for deploying Conjur OSS to Kubernetes
Shell
27
star
38

secrets-provider-for-k8s

Cyberark secrets provider for k8s
Go
26
star
39

PwnKit-Hunter

PwnKit-Hunter is here to help you check if your systems are vulnerable to CVE-2021-4043, a.k.a. PwnKit
Python
25
star
40

PreCog

Discover "HotSpots" - potential spots for credentials theft
PowerShell
23
star
41

terraform-provider-conjur

Terraform provider for Conjur
Shell
21
star
42

pvwa

Ansible role to deploy Cyberark Password Vault Web Access
Jinja
20
star
43

conjur-api-go

Go client for the CyberArk Conjur API
Go
20
star
44

slosilo

A Ruby interface to standard cryptographic primitives
Ruby
17
star
45

password-lookup-plugin

cyberarkpassword Lookup Plugin
17
star
46

cyberark-conjur-cli

CyberArk Conjur command line interface written in Python
Python
17
star
47

psm

Ansible role to deploy Cyberark Privileged Session Manager
PowerShell
16
star
48

conjur-template

Template repo for Conjur repositories
16
star
49

conjur-api-java

Java client for the CyberArk Conjur API
Java
15
star
50

summon-keyring

Cross-platform provider for Summon that talks to keyrings.
Python
15
star
51

cpm

Ansible role to deploy Cyberark Central Policy Manager
PowerShell
15
star
52

conjur-api-dotnet

.NET client for the CyberArk Conjur API
C#
15
star
53

cyberark-conjur-cli-docker-based

CyberArk Conjur command line interface (Ruby)
Ruby
15
star
54

parse-a-changelog

A validator for changelogs using the Keep a Changelog standard (http://keepachangelog.com)
Ruby
15
star
55

ansible-aim-provider

Ansible Galaxy Role to install and uninstall Cyberark AIM provider
14
star
56

kubernetes-conjur-deploy

Scripts for deploying DAP followers to Kubernetes and OpenShift given an existing DAP master cluster
Shell
14
star
57

Symda

Python
13
star
58

summon-s3

AWS S3 provider for Summon
Shell
13
star
59

KDSnap

C++
12
star
60

ansible-role-conjur

Grants Conjur machine identity to hosts
Python
12
star
61

conjur-credentials-plugin

Conjur plugin for securely providing credentials to Jenkins jobs
Java
12
star
62

conjur-openapi-spec

OpenAPI v3 specification for Conjur / DAP v10+
Mustache
11
star
63

conjur-authn-k8s-client

Authentication sidecar for Conjur Kubernetes integration.
Shell
11
star
64

dev-flow

Opinionated CLI that standardizes and automates common development tasks
Go
11
star
65

ark-sdk-python

CyberArk's Official SDK and CLI - https://cyberark.github.io/ark-sdk-python/
Python
10
star
66

ansible-conjur-host-identity

This project encapsulates the functionality of our `cyberark.conjur-host-identity role for Ansible
Shell
8
star
67

conjur-api-python

Python client for the CyberArk Conjur API
Python
8
star
68

conjur-oss-suite-release

Under development - Latest stable releases of the Conjur OSS suite
Go
7
star
69

community

Information for the CyberArk contributor community
7
star
70

cyberark-aim-chef

Chef custom resource for CyberArk AIM
Ruby
7
star
71

homebrew-tools

Homebrew formulas for different CyberArk tooling.
Shell
7
star
72

cacookiecleaner

C#
7
star
73

conjur-policy-generator

Tools to create sample Conjur policies for testing, etc.
Ruby
7
star
74

atyourservice

The atyourservice project is intended to provide highly-customizable utilities for troubleshooting issues.
Python
7
star
75

identity-aws-verified-permissions-demo

Python
7
star
76

summon-chefapi

Summon provider for Chef encrypted data bags
Go
6
star
77

conjur-puppet

Official Puppet module for CyberArk Conjur
Ruby
6
star
78

sample-siem-dashboards

6
star
79

escape-the-cloud

Web Application for CyberArk Cloud Escape Room CTF challenge
JavaScript
5
star
80

helm-charts

CyberArk Helm charts repository.
Shell
5
star
81

psmp-deploy-ansible-role

Ansible role to deploy Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
5
star
82

ansible-conjur-collection

Ansible Collection for Conjur
Python
5
star
83

conjur-spring-boot-sdk

Java
5
star
84

SafeNet

5
star
85

conjur-azure-devops-extension

Azure DevOps Extension for retrieving secrets from CyberArk Conjur
JavaScript
5
star
86

conjur-api-ruby

Ruby client for the CyberArk Conjur API
Ruby
4
star
87

conjur-base-image

Base Docker images for CyberArk Conjur
Shell
4
star
88

conjur-cli-go

CyberArk Conjur command line interface (Go)
Go
4
star
89

conjur-aws

[DEPRECATED] - AWS CloudFormation templates for Conjur
Shell
4
star
90

conjur-google-cloud-marketplace

[DEPRECATED] Conjur application for Google Cloud Marketplace
Shell
4
star
91

conjur-service-broker

Implementation of the Open Service Broker API for Conjur
Ruby
4
star
92

identity-demo-android

This is to demonstrate CyberArk Identity capabilities of Android SDK in a sample app.
Kotlin
3
star
93

pas-reporter-dataprocessing

C#
3
star
94

conjur-inspect

Go
3
star
95

dap-web-utility

DAP web utility to simplify DAP/Conjur deployment & operations
JavaScript
3
star
96

urbancode-conjur-aim

A plugin which allows UrbanCode Deploy to get credentials from EPV via AIM, and to get secrets from Conjur for setting up a CI/CD workflow
Groovy
3
star
97

psmp-activate-ansible-role

Ansible role to activate Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
3
star
98

conjur-tutorials

A repository for tutorials related to Conjur
Shell
2
star
99

conjur-authn-iam-client-python

Python client for using Conjur with authn-iam
Python
2
star
100

aim-puppet

Ruby
2
star