External Secrets Plugin
We've launched a plugin that allows injecting secrets directly into a session, this allow administrators to have a more secure setup when provisioning credentials.
This plugin have two options:
- Derived secrets from environment variables inside an agent
- Derived secrets from AWS secrets manager
The pre-requisite is that secrets are encoded as JSON, so in practice, this:
ENV_CONFIG='{"PG_PWD": "mypgsecret"}'
Is mapped to a session as YOURKEY=mypgsecret
In a nutshell
# create a connection
# PGPWD is the key that you want to expose
hoop admin create connection bash --agent test-agent \
-e PGPWD=envjson:ENV_CONFIG:PG_PWD \
--overwrite -- /bin/bash# configure/create the plugin
hoop admin create plugin secretsmanager \
--connection bash \
--source hoop/secretsmanager \
--overwrite# run it
$ hoop exec bash -i 'env |grep -i PGPWD'
mypgsecretCheck it out our documentation for more details