AWS Secrets Manager Provider

This provider allows for the expansion of environment variables from an AWS key-value secret or a literal one.

Credentials Configuration

It requires an instance profile in the agent with the permissions below:

Required IAM Roles

  • secretsmanager:GetSecretValue
  • secretsmanager:GetResourcePolicy
  • secretsmanager:DescribeSecret
  • secretsmanager:ListSecretVersionIds

Syntax

  • _aws:SECRET-NAME:SECRET-KEY

A secret configured as:

cat - > /tmp/pgconfig.json <<EOF
{
  "PG_HOST": "127.0.0.1",
  "PG_PORT": "3306"
}
EOF
aws secretsmanager create-secret --name pgprod \
    --secret-string file:///tmp/pgconfig.json

Can be exposed to an environment variable in a connection as:

  • _aws:pgprod:PG_HOST
  • _aws:pgprod:PG_PORT

Example:

  • MYSECRET=_aws:prod-secret-name:MYSECRET

The environment key value will be replaced when the user opens a session with the agent.

Testing It

Create a bash connection.

hoop admin create connection bash --agent test-agent \
    -e PG_HOST=_aws:pgprod:PG_HOST \
    --overwrite -- /bin/bash

Then, execute the env command to dump the environment variables of a session.

hoop exec bash -i 'env' |grep PG_HOST

Env Json Provider

This provider allows the exposure of environment variables from an agent by exposing a JSON environment variable. It is useful for maintaining compatibility with older runops agents.

Syntax

  • _envjson:MYJSON_ENV:ENVKEY

So an environment variable configured in an agent:

  • ENV_CONFIG='{"PG_HOST": "127.0.0.1", "PG_DB": "testdb"}'

Can be exposed to an environment variable in a connection as:

  • _envjson:ENVCONFIG:PG_HOST

Testing It

Create a bash connection.

hoop admin create connection bash --agent test-agent \
    -e PG_HOST=_envjson:ENV_CONFIG:PG_HOST \
    --overwrite -- /bin/bash

Then, execute the env command to dump the environment variables of a session.

hoop exec bash -i 'env' |grep PG_HOST