Summon is a tool to inject secrets into a process via environment variables. The nice thing is that the secret provider can be configured at runtime and different environments can be chosen.

If you’re using gopass, this recipe might be for you.

Gopass itself can be used out of the box as summon provider as it fulfils all requirements: gopass secretname returns a secret. To directly make use of gopass, just link the gopass binary to /usr/lib/summon. If you just wanna read out a plain secret, you’re done.

Gopass can also store secret information also in yaml keys. My gopass entry private/aws/username looks as follows:

myawspassword
---
keyId: AKIAAWSKEYID
secretKey: awssecretkey
user: myusername

The keyId or secretKey can be retrieved via gopass private/aws/username keyId. The summon provider does not allow spaces in secret names, therefore the following wrapper script makes life easier:

#!/bin/bash
ARGS=$(echo $1| tr : \ )
gopass $ARGS

put it in /usr/lib/summon/gopass and make it executable.

Now, you can create your summon secret yaml (~/aws/myaccount.yml):

AWS_ACCESS_KEY_ID: !var private/aws/username:keyId
AWS_SECRET_ACCESS_KEY: !var private/aws/username:secretKey

You can now call any tool that makes use of these environment variables, e.g. the aws cli:

summon -p gopass -f ~/.aws/myaccount.yml aws s3api list-buckets

To make life even easier, set gopass as default provider and create an alias in your shell profile / rc:

SUMMON_PROVIDER=gopass
alias myaws='summon -f ~/.aws/myaccount.yml aws'

You can now use myaws s3api list-buckets