#!/usr/bin/env bash# aws-entrypoint.sh# Translates environment variables that

1. #!/usr/bin/env bash
2.  
3. # aws-entrypoint.sh
4. # Translates environment variables that contain aws secrets into their
5. # secret values. This script is useful as an entrypoint into docker:
6. #
7. # Dockerfile:
8. # ENTRYPOINT ["/aws-entrypoint.sh", "/your-original-entrypoint.sh"]
9. #
10. # Dockerfile Alphine Linux Required installation
11. # # install bash, jq, aws-cli
12. # RUN apk -v --update add \
13. # bash \
14. # grep \
15. # jq \
16. # python \
17. # py-pip \
18. # groff \
19. # less \
20. # mailcap \
21. # && \
22. # pip install awscli python-magic --upgrade && \
23. # apk -v --purge del py-pip && \
24. # rm /var/cache/apk/*
25. #
26. # Example environment variable format:
27. # string value of key 'username' stored into FOO: FOO={{runtime-secret:my-secret-name:username}}
28. # raw json value stored into FOO: FOO={{runtime-secret:my-secret-name}}
29. #
30.  
31. split_newlines() {
32. # split lines into array $split_parts
33. local IFS=$'\n'
34. split_parts=($@)
35. }
36.  
37. # read from `env` and split on '='
38. while IFS='=' read -r name value ; do
39. # we are only interested in values starting with {{runtime-secret:
40. if [[ "$OSTYPE" == "darwin"* ]]; then
41. matches=$(grep -E -o '{{runtime-secret:.*?}}'<<< "${value}")
42. else
43. matches=$(grep -P -o '{{runtime-secret:.*?}}'<<< "${value}")
44. fi
45. split_newlines "${matches}"
46. if [[ ${split_parts[@]} == "" ]]; then
47. # doesn't have any secrets, skip
48. continue
49. fi
50. # replace all secrets
51. for rt_value in "${split_parts[@]}"; do
52. # remove the last '}}' and then split on ':'
53. IFS=':' read -r -a parts <<< "${rt_value%??}"
54.  
55. # grab secret from aws
56. my_secret=$(aws secretsmanager get-secret-value --secret-id "${parts[1]}" --query "SecretString")
57. if [[ $? -ne 0 ]]; then
58. if ! hash aws 2>/dev/null; then
59. echo "The aws cli command was not found but an environment variable ${name} requiring it was specified. Halting execution." 1>&2
60. exit 1
61. fi
62.  
63. echo "Failed to find expected aws secret for environment variable ${name}, halting execution." 1>&2
64. exit 1
65. fi
66.  
67. if [[ ${#parts[@]} -gt 2 ]]; then
68. # if a key was specified, then get that key's value
69. my_value=$(jq -r 'fromjson | .'${parts[2]}' | select (.!=null)'<<<"${my_secret}")
70. else
71. # otherwise just turn it into nice json
72. my_value=$(jq -r 'fromjson'<<<"${my_secret}")
73. fi
74.  
75. if [[ $? -ne 0 ]]; then
76. if ! hash jq 2>/dev/null; then
77. echo "The jq command was not found but an environment variable ${name} requiring it was specified. Halting execution." 1>&2
78. exit 1
79. fi
80.  
81. echo "Failed to parse expected json from environment variable ${name}, ${value}, halting execution." 1>&2
82. exit 1
83. fi
84.  
85. # replace the runtime secret string with the requested secret value
86. value="${value//${rt_value}/${my_value}}"
87. done
88.  
89. # declare the variable again, with the interpreted value
90. declare ${name}="${value}"
91. done < <(env)
92.  
93. exec "$@"