It enables integration with a known secrets manager, allowing the connection environment variable to be dynamically expanded for each connection.
AWS Secrets Manager Provider
This provider allows for the expansion of environment variables from an AWS key-value secret or a literal one.
Credentials Configuration
It requires an instance profile in the agent with the permissions below:
Required IAM Roles
- secretsmanager:GetSecretValue
- secretsmanager:GetResourcePolicy
- secretsmanager:DescribeSecret
- secretsmanager:ListSecretVersionIds
Syntax
_aws:SECRET-NAME:SECRET-KEY
A secret configured as:
shellcat - > /tmp/pgconfig.json <<EOF { "PG_HOST": "127.0.0.1", "PG_PORT": "3306" } EOF aws secretsmanager create-secret --name pgprod \ --secret-string file:///tmp/pgconfig.json
Can be exposed to an environment variable in a connection as:
_aws:pgprod:PG_HOST
_aws:pgprod:PG_PORT
Example:
- MYSECRET=_aws:prod-secret-name:MYSECRET
The environment key value will be replaced when the user opens a session with the agent.
Testing It
Create a
bash connectionshellhoop admin create connection bash --agent test-agent \ -e PG_HOST=_aws:pgprod:PG_HOST \ --overwrite -- /bin/bash
Then, execute the
env command to dump the environment variables of a sessionshellhoop exec bash -i 'env' |grep PG_HOST
Env Json Provider
This provider allows the exposure of environment variables from an agent by exposing a JSON environment variable. It is useful for maintaining compatibility with older runops agents.
Syntax
_envjson:MYJSON_ENV:ENVKEY
So an environment variable configured in an agent:
ENV_CONFIG='{"PG_HOST": "127.0.0.1", "PG_DB": "testdb"}'
Can be exposed to an environment variable in a connections as:
_envjson:ENVCONFIG:PG_HOST
Testing It
Create a
bash connectionshellhoop admin create connection bash --agent test-agent \ -e PG_HOST=_envjson:ENV_CONFIG:PG_HOST \ --overwrite -- /bin/bash
Then, execute the
env command to dump the environment variables of a sessionshellhoop exec bash -i 'env' |grep PG_HOST