@imaware/secretenv
v1.2.57
Published
NodeJS utility for automatically resolving environment variables to secret values.
Downloads
882
Readme
secretenv
NodeJS utility for automatically resolving environment variables to secret values.
Docs
Automatically generated docs located in ./docs.md
.
Supported Secret Providers
- [x] GCP Secrets
- [x] AWS SSM Parameter Store
- [x] AWS Secrets Manager (SecretString only)
- [ ] Vault
- [ ] Azure Key Vault
Usage
In your code's initialization logic, simply call:
await resolveEnv()
The function resolveEnv
returns a Promise which resolves once all environment variables have been processed (and resolved if necessary).
Environment variables that should be resolved from remote secret storage sources follow a given pattern for each source type (see src/secretenv/resolvers/<provider>.ts
for patterns). If any environment variables match these patterns, secretenv will attempt to resolve them from their respective providers, and replace them in the environment with their resolved values.
The resolveEnv
function presumes that valid credentials for the target provider are available. If they are not, it will throw authentication errors.
secretenv will throw errors if:
- No authentication is present for a provider
- Credentials do not have permissions to access the secret resource from the provider
- The secret resource does not exist
secretenv will not throw errors if:
- The value of the resolved secret is
undefined
or an empty string
GCP Secrets
GCP secrets should be referenced by this pattern:
/^gcp-secrets:\/\/projects\/(?<gcp_project>[^/]+)\/secrets\/(?<secret_name>[^/]+)\/versions\/(?<version>[^/]+)$/
AWS SSM Parameter Store
AWS SSM Parameters should be referenced by this pattern:
/^aws-ssm:\/\/arn:aws:ssm:(?<region>[^/]+):(?<account_id>[^/]+):parameter\/(?<parameter_id>[^:]+)(?<encrypted>:encrypted)?$/
The :encrypted
suffix specifies whether the SSM Parameter is KMS encrypted or not.
AWS Secrets Manager
AWS Secrets Manager SecretStrings should be referenced by this pattern:
/^aws-secrets:\/\/arn:aws:secretsmanager:(?<region>[^/]+):(?<account_id>[^/]+):secret:(?<secret_id>[a-zA-Z0-9/_+=.@-]+)(?<stage>:stage:(?<version_stage>[a-zA-Z0-9]+))?(?<version>:version:(?<version_id>[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}))?$/
*Only AWS Secrets of type SecretString
are supported.