Summon is a tool to inject secrets into a process via environment variables. The nice thing is that the secret provider can be configured at runtime and different environments can be chosen.
If you’re using gopass, this recipe might be for you.
Gopass itself can be used out of the box as summon provider as it fulfils all requirements:
gopass secretname returns a secret.
To directly make use of gopass, just link the gopass binary to
/usr/lib/summon. If you just wanna read out a plain secret, you’re done.
Gopass can also store secret information also in yaml keys. My gopass entry
private/aws/username looks as follows:
myawspassword --- keyId: AKIAAWSKEYID secretKey: awssecretkey user: myusername
secretKey can be retrieved via
gopass private/aws/username keyId.
The summon provider does not allow spaces in secret names, therefore the following wrapper script makes life easier:
#!/bin/bash ARGS=$(echo $1| tr : \ ) gopass $ARGS
put it in
/usr/lib/summon/gopass and make it executable.
Now, you can create your summon secret yaml (
AWS_ACCESS_KEY_ID: !var private/aws/username:keyId AWS_SECRET_ACCESS_KEY: !var private/aws/username:secretKey
You can now call any tool that makes use of these environment variables, e.g. the aws cli:
summon -p gopass -f ~/.aws/myaccount.yml aws s3api list-buckets
To make life even easier, set gopass as default provider and create an alias in your shell profile / rc:
SUMMON_PROVIDER=gopass alias myaws='summon -f ~/.aws/myaccount.yml aws'
You can now use
myaws s3api list-buckets