• Stars
    star
    251
  • Rank 161,862 (Top 4 %)
  • Language
    Go
  • License
    BSD 2-Clause "Sim...
  • Created over 7 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Expand env variables from AWS Parameter Store

ssm-env

ssm-env is a simple UNIX tool to populate env vars from AWS Parameter Store.

Installation

$ go get -u github.com/remind101/ssm-env

You can most likely find the downloaded binary in ~/go/bin/ssm-env

Usage

ssm-env [-template STRING] [-with-decryption] [-no-fail] COMMAND

Details

Given the following environment:

RAILS_ENV=production
COOKIE_SECRET=ssm://prod.app.cookie-secret

You can run the application using ssm-env to automatically populate the COOKIE_SECRET env var from SSM:

$ ssm-env env
RAILS_ENV=production
COOKIE_SECRET=super-secret

You can also configure how the parameter name is determined for an environment variable, by using the -template flag:

$ export COOKIE_SECRET=xxx
$ ssm-env -template '{{ if eq .Name "COOKIE_SECRET" }}prod.app.cookie-secret{{end}}' env
RAILS_ENV=production
COOKIE_SECRET=super-secret

ssm-env also supports versioned SSM params:

$ export OLD_SECRET=ssm://secret:1
$ export NEW_SECRET=ssm://secret:2
$ ssm-env env

OLD_SECRET=super_secret_v1
NEW_SECRET=super_secret_v2

Usage with Docker

A common use case is to use ssm-env as a Docker ENTRYPOINT. You can copy and paste the following into the top of a Dockerfile:

RUN curl -L https://github.com/remind101/ssm-env/releases/download/v0.0.4/ssm-env > /usr/local/bin/ssm-env && \
      cd /usr/local/bin && \
      echo 4a5140b04f8b3f84d16a93540daa7bbd ssm-env | md5sum -c && \
      chmod +x ssm-env
ENTRYPOINT ["/usr/local/bin/ssm-env", "-with-decryption"]

Now, any command executed with the Docker image will be funneled through ssm-env.

Alpine Docker Image

To use ssm-env with Alpine Docker images, root certificates need to be added and the installation command differs, as shown in the Dockerfile below:

FROM alpine:latest

# ...copy code

# ssm-env: See https://github.com/remind101/ssm-env
RUN wget -O /usr/local/bin/ssm-env https://github.com/remind101/ssm-env/releases/download/v0.0.3/ssm-env
RUN chmod +x /usr/local/bin/ssm-env

# Alpine Linux doesn't include root certificates which ssm-env needs to talk to AWS.
# See https://simplydistributed.wordpress.com/2018/05/22/certificate-error-with-go-http-client-in-alpine-docker/
RUN apk add --no-cache ca-certificates

ENTRYPOINT ["/usr/local/bin/ssm-env", "-with-decryption"]

Usage with Kubernetes

A simple way to provide AWS credentials to ssm-env in containers run in Kubernetes is to use Kubernetes Secrets and to expose them as environment variables. There are more secure alternatives to environment variables, but if this is secure enough for your needs, it provides a low-effort setup path.

First, store your AWS credentials in a secret called aws-credentials:

kubectl create secret generic aws-credentials --from-literal=AWS_ACCESS_KEY_ID='AKIA...' --from-literal=AWS_SECRET_ACCESS_KEY='...'

Then, in the container specification in your deployment or pod file, add them as environment variables (alongside all other environment variables, including those retrieved from SSM):

      containers:
        - env:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: aws-credentials
                  key: AWS_ACCESS_KEY_ID
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: aws-credentials
                  key: AWS_SECRET_ACCESS_KEY
            - name: AWS_REGION
              value: us-east-1
            - name: SSM_EXAMPLE
              value: ssm:///foo/bar

More Repositories

1

empire

A PaaS built on top of Amazon EC2 Container Service (ECS)
Go
2,688
star
2

assume-role

Easily assume AWS roles in your terminal.
Go
566
star
3

android-arch-sample

Sample app for MVP Architecture on Android
Java
348
star
4

tugboat

Rest API and AngularJS client for deploying github repos.
Go
235
star
5

conveyor

A fast build system for Docker images.
Go
221
star
6

slashdeploy

GitHub Deployments for Slack
JavaScript
153
star
7

deploy

CLI for GitHub Deployments
Go
134
star
8

jest-transform-graphql

Make .graphql file importing work in Jest
JavaScript
121
star
9

AutoGraph

A GraphQL Client in Swift
Swift
120
star
10

rest-graphql

Middleware for Express to adapt REST requests to GraphQL queries
JavaScript
55
star
11

angular-tooltip

Simple and extensible tooltips for angularjs
JavaScript
41
star
12

migrate

Simple migrations for database/sql
Go
40
star
13

stacker_blueprints

DEPRECATED - moved to:
Python
39
star
14

emp

[DEPRECATED] Command line interface for Empire
Go
37
star
15

mq-go

SQS Consumer Server for Go
Go
28
star
16

dbsnap

Tool to copy and verify AWS RDS snapshots.
Python
24
star
17

pkg

A layer of convenience over the Go stdlib
Go
22
star
18

newrelic

DEPRECATED: Use the official lib here https://github.com/newrelic/go-agent
Go
19
star
19

logspout-kinesis

A Logspout adapter for writing logs to Amazon Kinesis
Go
16
star
20

request_id

Middleware for logging heroku request id's
Ruby
16
star
21

exceptions

A Ruby gem for tracking exceptions.
Ruby
15
star
22

grape-pagination

Pagination helpers for Grape.
Ruby
14
star
23

dockerstats

Easy scraping for the Docker stats api.
Go
14
star
24

auto-value-realm

An extension for Google's AutoValue that allows using Realm's datastore
Java
13
star
25

ecsdog

[DEPRECATED] ECS events are now automatically pulled in with the AWS integration
Go
10
star
26

kinesumer

Kinesis consumer library in Go
Go
10
star
27

turbolinks-redirect

Simple redirect_to support for turbolinks and jquery-rails.
Ruby
9
star
28

docker-build

A small script for building, tagging and pushing Docker images
Shell
9
star
29

dnsdog

DNS metrics in DataDog
Go
9
star
30

empire_ami

Home of the AMI building tools for the Official Empire AMI
Shell
9
star
31

policies

Remind Privacy Policy & Terms of Service from www.remind.com
7
star
32

collective

[DEPRECATED use https://github.com/remind101/r101-datadog instead] It collects metrics and puts it on STDOUT.
Ruby
6
star
33

hubot-deploy

Hubot script for GitHub Deployments.
CoffeeScript
6
star
34

reInvent-2015

Slides and Demo resources for Docker & ECS in Production talk.
Go
4
star
35

ruby-cloud-profiler

Ruby
3
star
36

capybara-mocktime

Ruby gem for synchronizing time between tests and the browser using Timecop and Sinon.
Ruby
3
star
37

activerecord-poro

Associations for plain old ruby objects
Ruby
3
star
38

AutoGraphParser

Swift GQL Parser
Swift
3
star
39

homebrew-formulae

Homebrew tap for Remind tools and utilities.
Ruby
3
star
40

formatted-metrics

Easily produce metrics for consumption by l2met.
Ruby
3
star
41

acme-inc

An app that does nothing.
Go
2
star
42

kinesis

Go program and library for streaming to Amazon Kinesis.
Go
2
star
43

gopheragent

A golang user-agent parser
Go
2
star
44

dockerdog

Better Docker event metrics for DataDog
Go
2
star
45

share-on-remind-extension

Share on Remind Extension
JavaScript
2
star
46

git-deploy

Ruby
2
star
47

amazon-ecs-agent

The official Amazon ECS Agent, with some Remind/Empire specific patches applied.
Makefile
2
star
48

activerecord-pgbouncer

ActiveRecord connection adapter for using PgBouncer safely.
Ruby
2
star
49

cloudsns

SNS polling library for cloudformation events
Python
2
star
50

action-require-reviewer

Github workflow action to require a reviewer on pushed branches
TypeScript
1
star
51

metrics

Go library for printing metrics in an l2met compatible format.
Go
1
star
52

e164.rb

e164.js but ruby
Ruby
1
star
53

all_my_circuits

Mostly threadsafe implementation of the CircuitBreaker pattern for Ruby.
Ruby
1
star
54

migrate_safely

Adds confirmation prompt for rake db:migrate
Ruby
1
star
55

beso

Ruby
1
star
56

pooled-redis

Connection pooled Redis client that utilizes promises.
JavaScript
1
star
57

AutoGraphCodeGen

Swift GraphQL Code Generator
Swift
1
star
58

email-provider

Give it an email address, and get the email provider back.
Ruby
1
star