SHARE
TWEET

Untitled

a guest Apr 18th, 2019 73 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env bash
  2.  
  3. # aws-entrypoint.sh
  4. # Translates environment variables that contain aws secrets into their
  5. # secret values. This script is useful as an entrypoint into docker:
  6. #
  7. # Dockerfile:
  8. # ENTRYPOINT ["/aws-entrypoint.sh", "/your-original-entrypoint.sh"]
  9. #
  10. # Dockerfile Alphine Linux Required installation
  11. # # install bash, jq, aws-cli
  12. # RUN apk -v --update add \
  13. #         bash \
  14. #         grep \
  15. #         jq \
  16. #         python \
  17. #         py-pip \
  18. #         groff \
  19. #         less \
  20. #         mailcap \
  21. #         && \
  22. #     pip install awscli python-magic --upgrade && \
  23. #     apk -v --purge del py-pip && \
  24. #     rm /var/cache/apk/*
  25. #
  26. # Example environment variable format:
  27. # string value of key 'username' stored into FOO: FOO={{runtime-secret:my-secret-name:username}}
  28. # raw json value stored into FOO: FOO={{runtime-secret:my-secret-name}}
  29. #
  30.  
  31. split_newlines() {
  32.     # split lines into array $split_parts
  33.     local IFS=$'\n'
  34.     split_parts=($@)
  35. }
  36.  
  37. # read from `env` and split on '='
  38. while IFS='=' read -r name value ; do
  39.     # we are only interested in values starting with {{runtime-secret:
  40.     if [[ "$OSTYPE" == "darwin"* ]]; then
  41.         matches=$(grep -E -o '{{runtime-secret:.*?}}'<<< "${value}")
  42.     else
  43.         matches=$(grep -P -o '{{runtime-secret:.*?}}'<<< "${value}")
  44.     fi
  45.     split_newlines "${matches}"
  46.     if [[ ${split_parts[@]} == "" ]]; then
  47.         # doesn't have any secrets, skip
  48.         continue
  49.     fi
  50.     # replace all secrets
  51.     for rt_value in "${split_parts[@]}"; do
  52.         # remove the last '}}' and then split on ':'
  53.         IFS=':' read -r -a parts <<< "${rt_value%??}"
  54.  
  55.         # grab secret from aws
  56.         my_secret=$(aws secretsmanager get-secret-value --secret-id "${parts[1]}" --query "SecretString")
  57.         if [[ $? -ne 0 ]]; then
  58.             if ! hash aws 2>/dev/null; then
  59.                 echo "The aws cli command was not found but an environment variable ${name} requiring it was specified. Halting execution." 1>&2
  60.                 exit 1
  61.             fi
  62.  
  63.             echo "Failed to find expected aws secret for environment variable ${name}, halting execution." 1>&2
  64.             exit 1
  65.         fi
  66.  
  67.         if [[ ${#parts[@]} -gt 2 ]]; then
  68.             # if a key was specified, then get that key's value
  69.             my_value=$(jq -r 'fromjson | .'${parts[2]}' | select (.!=null)'<<<"${my_secret}")
  70.         else
  71.             # otherwise just turn it into nice json
  72.             my_value=$(jq -r 'fromjson'<<<"${my_secret}")
  73.         fi
  74.  
  75.         if [[ $? -ne 0 ]]; then
  76.             if ! hash jq 2>/dev/null; then
  77.                 echo "The jq command was not found but an environment variable ${name} requiring it was specified. Halting execution." 1>&2
  78.                 exit 1
  79.             fi
  80.  
  81.             echo "Failed to parse expected json from environment variable ${name}, ${value}, halting execution." 1>&2
  82.             exit 1
  83.         fi
  84.  
  85.         # replace the runtime secret string with the requested secret value
  86.         value="${value//${rt_value}/${my_value}}"
  87.     done
  88.  
  89.     # declare the variable again, with the interpreted value
  90.     declare ${name}="${value}"
  91. done < <(env)
  92.  
  93. exec "$@"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top