AWS Secrets Manager

This plugin enables integrating with known secrets manager making connection environment variable to be expanded dynamically for each connection.

plugin-secretsmanager source code

AWS Secrets Manager Provider

This allows for the expansion of environment variables from an AWS key-value secret or a literal one.

Credentials Configuration

The system accepts authentication from environment variables, shared configuration, shared credentials files, or with an instance profile role.

Required IAM Roles

secretsmanager:GetSecretValue

secretsmanager:GetResourcePolicy

secretsmanager:DescribeSecret

secretsmanager:ListSecretVersionIds

Syntax

aws:SECRET-KEY:SECRETID

A secret configured as:

shell
cat - > /tmp/pgconfig.json <<EOF
{
  "PG_HOST": "127.0.0.1",
  "PG_PORT": "3306"
}
EOF
aws secretsmanager create-secret --name pgprod \
    --secret-string file:///tmp/pgconfig.json

Can be exposed to an environment variable in a connection as:

aws:pgprod:PG_HOST

aws:pgprod:PG_PORT

Example:

MYSECRET=aws:prod-secret-key:MYSECRET

The environment key value will be replaced when the user is opening a session with the agent.

Managing the Plugin

Create a connection

shell
hoop admin create connection bash --agent test-agent \
    -e PG_HOST=aws:pgprod:PG_HOST \
    --overwrite -- /bin/bash

Create the plugin and associate it

shell
hoop admin create plugin secretsmanager \
    --config=AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE \
    --config=AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
    --config=AWS_REGION=us-east-1 \
    --connection bash \
    --source hoop/secretsmanager \
    --overwrite

Testing it

Assuming that you have a bash connection created, check if the environment variables are expanded for your connection:

shell
hoop exec bash -i 'env'

The plugin configuration for AWS Credentials is not shared with the user under any circumstances while they are interacting with the connection. These credentials are kept in memory only. The context of the session will have only the secret values expanded in the connection environment variables.However, when using instance roles, users could have access to those credentials depending how they interact with a connection. Example: passing a bash or a python script to a connection.

Env Json Provider

This provider allows exposing environment variables from an agent exposing a JSON environment variable. It’s useful to maintain compatibility with older runops agents.

Syntax

envjson:MYJSON_ENV:ENVKEY

So an environment variable configured in an agent:

ENV_CONFIG='{"PG_HOST": "127.0.0.1", "PG_DB": "testdb"}'

Can be exposed to an environment variable in a connections as:

envjson:ENVCONFIG:PG_HOST

Managing the Plugin

Create a connection

shell
hoop admin create connection bash --agent test-agent \
    -e PG_HOST=envjson:ENV_CONFIG:PG_HOST \
    --overwrite -- /bin/bash

Create the plugin and associate it

shell
hoop admin create plugin secretsmanager \
    --connection bash \
    --source hoop/secretsmanager \
    --overwrite

Testing it

It should return the value of 127.0.0.1 from the ENV_CONFIG environment variable json.

plain text
hoop exec bash -i 'env |grep PG_HOST'