secrethub / secrethub-cli Goto Github PK
View Code? Open in Web Editor NEWA secrets management platform that every engineer can use with minimal code changes.
Home Page: https://secrethub.io
License: Apache License 2.0
A secrets management platform that every engineer can use with minimal code changes.
Home Page: https://secrethub.io
License: Apache License 2.0
Though we discourage users from applying requirements like minimum 1 symbol (as it decreases the entropy of the generated password), we do not control the password requirements of third party applications our users store and generate passwords for.
And those requirements can be super wacky:
To support those password requirements in a relatively simple way, we've come up with three flags:
--include <charset> Include given characters in the set of characters to randomly choose a password from. Defaults to alphanumeric. As the password is randomly chosen, it is not ensured that the password will always contain at least one character from the given character set. Use --min for that.
--exclude <charset> Ensure the password does not contain any characters from the given character set.
--min <charset>:<n> Ensure that the resulting password contains at least n characters from the given character set.
The supported character sets are as follows:
alphanumeric = a-zA-Z0-9
symbols = !@#$%^*-_+=.,?
similar = iIlL1oO0
numeric = 0-9
letters = a-zA-Z
lowercase = a-z
uppercase = A-Z
A few notes on the character sets:
numeric
is a bit less generic, we could have aliases for numbers
, number
, and digits
?similar
set should also include the nine and the lowercase G: 9g
. This requires a change to the randchar
library though.A few examples of usage are:
$ secrethub generate --include symbols
$ secrethub generate --include symbols --exclude similar
$ secrethub generate --min symbols:2 --min numeric:1
Rules are as follows:
--include
and --min
are are mutually exclusive with --exclude
, meaning you can't have both --include symbols --exclude symbols
or --exclude symbols --min symbols:1
.--min symbols
automatically also adds --include symbols
.--min symbols:0
automatically adds --include symbols
, but does not impose a minimum constraintAlso, the help text of the secrethub generate
command should include something about the security implications of constraints. See the package comments of the randchar
package:
However, note that the strongest passwords are the ones with
the least requirements. Imposing e.g. a minimum requirement
on generated passwords reduces the entropy of the resulting
password. So when possible, avoid using any constraints.
And finally, the docs texts could use a little work.
The spec is still a bit of a work in progress, so feedback is welcome.
I would like to use secrethub on arm machines. Currently this gives an exec format error.
With goreleaser this should be trivial right?
-bash: /usr/local/bin/secrethub: cannot execute binary file: Exec format error
We'd like to distribute the CLI via package managers, so that it can be easily installed using the package manager you are used to.
e.g.
brew install secrethub
We'd like to support at least:
Other package managers we are considering are:
We might add other package managers to this list. Please let us know if there's another package manager in which you'd like us to distribute the CLI.
https://signup.secrethub.io/install
When following these instructions from the above page:
brew install secrethub/tools/secrethub-cli
secrethub init --setup-code xx-xxx-xxxx-xxx-xx
I get the following error:
Encountered an error: unknown long flag '--setup-code'
My system is:
Mac OS Big Sur
11.2.1 (20D75)
My cli version is:
secrethub version 0.39.0, build cd99b29
I was unable to install and proceed using the service.
Hello,
I'm trying do build multiarch docker images but i think no arm64 package is available for alpine:
apk add --repository https://alpine.secrethub.io/alpine/edge/main --allow-untrusted secrethub-cli
#8 0.388 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/aarch64/APKINDEX.tar.gz
#8 1.257 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/aarch64/APKINDEX.tar.gz
#8 2.455 v3.13.6-28-g0fb6231dad [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
#8 2.455 v3.13.6-29-g6b33ef5588 [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
#8 2.455 OK: 13736 distinct packages available
#8 4.042 OK: 5 MiB in 14 packages
#8 4.218 fetch https://alpine.secrethub.io/alpine/edge/main/aarch64/APKINDEX.tar.gz
#8 4.602 ERROR: https://alpine.secrethub.io/alpine/edge/main: No such file or directory
#8 4.603 WARNING: Ignoring https://alpine.secrethub.io/alpine/edge/main: No such file or directory
#8 6.077 ERROR: unable to select packages:
#8 6.243 secrethub-cli (no such package):
#8 6.243 required by: world[secrethub-cli]
this works fine for amd64
When creating a full tree for a new project, it is often needed to create nested directories. To be able to do so without having to do a lot of monkey work, let's add a --parents
flag to the mkdir
command that creates the parent directories as well when these do not exist yet.
This flag would work exactly as the --parents
flag on the unix mkdir
command works; It will create the parent directories as well when these do not exist yet and it will not error when all directories already exist.
-p, --parents (bool)
make parent directories as needed
If a user has é
in his passphrase, caching of the passphrase with the OS's keyring breaks on MacOS. The following error message is returned:
Encountered an error: cannot get passphrase from keyring: invalid character 'b' after top-level value (secrethub.cannot_get_keyring)`.
This might have something to do with the keyring returning a non-UTF-8-encoded string when this character is used, which breaks the json decoding of the stored value.
The following command fails for me on macos:
➜ ~ brew install secrethub/tools/secrethub-cli
Error: secrethub/tools/secrethub-cli: Calling bottle :unneeded is disabled! There is no replacement.
Please report this issue to the secrethub/tools tap (not Homebrew/brew or Homebrew/core):
/opt/homebrew/Library/Taps/secrethub/homebrew-tools/Formula/secrethub-cli.rb:6
When using a template from a file (which is the large majority of use-cases), you currently have to cat
the file and pipe it to the inject command:
cat env.tpl | secrethub inject
Like with #35, not all environments work nicely with pipes. For example, in a docker image, we prefer a single call to a binary over the shell form of the command.
Therefore, I propose to add a --template-file
flag that can be used as an alternative input to stdin
.
--template-file (string)
Use the contents of a file as template.
And the order in which the command reads the template from different inputs would change to:
--template-file
I have looked everywhere in the docs for how to get this env-var and I didn't find anything.
I tried: secrethub run -- echo $SECRETHUB_CREDENTIAL
but it doesn't print it.
as far as I understand, I need it to integrate with github-actions (https://github.com/marketplace/actions/secrethub#usage)
on: push
jobs:
notify-slack:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: secrethub/actions/[email protected]
env:
SECRETHUB_CREDENTIAL: ${{ secrets.SECRETHUB_CREDENTIAL }}. <<----- How do I get it???
SLACK_WEBHOOK: secrethub://company/app/slack/webhook
- name: Print environment with masked secrets
run: printenv
- name: Notify Slack
# This action expects SLACK_WEBHOOK to be set, which is now done automatically
uses: Ilshidur/[email protected]
with:
args: Sent from GitHub Actions with secrets from SecretHub 🔑
Used the secrethub CLI to generate the migration plan but have the following error applying it:
op --version 2.9.1
secrethub --version 0.43.0, build 3962e85
secrethub migrate apply --plan-file=./1password-migration-plan.yml
[1/5] Checking vault: creds-keys
[ERROR] 2022/12/07 08:42:11 unknown command "list" for "op"
Usage: op [command] [flags]
Management Commands:
account Manage your locally configured 1Password accounts
connect Manage Connect instances and Connect tokens in your 1Password account
document Perform CRUD operations on Document items in your vaults
events-api Manage Events API integrations in your 1Password account
group Manage the groups in your 1Password account
item Perform CRUD operations on the 1Password items in your vaults
plugin Manage the shell plugins you use to authenticate third-party CLIs
user Manage users within this 1Password account
vault Manage permissions and perform CRUD operations on your 1Password vaults
Commands:
completion Generate shell completion information
inject Inject secrets into a config file
read Read a secret using the secrets reference syntax
run Pass secrets as environment variables to a process
signin Sign in to a 1Password account
signout Sign out of a 1Password account
update Check for and download updates.
whoami Get information about a signed-in account
Global Flags:
--account account Select the account to execute the command by account shorthand, sign-in address, account ID, or user ID. For a list
of available accounts, run 'op account list'. Can be set as the OP_ACCOUNT environment variable.
--cache Store and use cached information. Cache is enabled by default. The cache is not available on Windows. (default true)
--config directory Use this configuration directory.
--debug Enable debug mode. Can also be enabled by setting the OP_DEBUG environment variable to true.
--encoding type Use this character encoding type. Default: UTF-8. Supported: SHIFT_JIS, gbk.
--format string Use this output format. Can be 'human-readable' or 'json'. Can be set as the OP_FORMAT environment variable.
(default "human-readable")
-h, --help Get help for op.
--iso-timestamps Format timestamps according to ISO 8601 / RFC 3339. Can be set as the OP_ISO_TIMESTAMPS environment variable.
--no-color Print output without color.
--session token Authenticate with this session token. 1Password CLI outputs session tokens for successful 'op signin' commands when
1Password app integration is not enabled.
Run 'op [command] --help' for more information on the command.
Encountered an error: could not check vault existence: could not list vaults: 1password: op list vaults: exit status 1
Not every environment handles piping nicely and we cannot predict how users will use our CLI. For instance, a docker container with the secrethub
binary as entrypoint cannot accept piped content (without workarounds).
The write
docs would change by adding this flag:
-i, --input-file (string)
Use the contents of a file as secret input.
And the order in which the command reads the secret from different inputs would change to:
--input-file
OR --clip
. These two are mutually exclusive and should error when both are set.stdin
There are many scenarios where some secrets could be missing at a given time and I would like to silently ignore it so that the cli does not emit the following message:
Encountered an error: Secret not found (server.secret_not_found)
Description:
--silent
Silent or quiet mode. Don't show error messages.
Can we create an alias --description
and --descr
for this? I find myself typing it wrong every time. --description
should also be the default if you ask me.
Originally posted by @mackenbach in #138
Like echo -n foo
we could have: secrethub read -n path/to/secret
.
when using curl https://apt.secrethub.io | bash
i received the following error
Err:1 https://apt.secrethub.io stable InRelease
The following signatures were invalid: EXPKEYSIG 425F7AB667B0B1D8 SecretHub <[email protected]>
Reading package lists... Done
W: GPG error: https://apt.secrethub.io stable InRelease: The following signatures were invalid: EXPKEYSIG 425F7AB667B0B1D8 SecretHub <[email protected]>
E: The repository 'https://apt.secrethub.io stable InRelease' is not signed.
We have the --clip
flag in the read command and it makes a lot of sense to add it to the generate
command too.
-c, --clip Copy the secret value to the clipboard. The clipboard is
automatically cleared after 45 seconds.
There's actually already a TODO
comment in the code.
-f, --force (bool)
When injecting to an output file and the file already exists, overwrite it.
In #103 (comment) @mackenbach suggested to accept this template input {{{ path/to/secret }}}
and render it as follows: {secret value}
.
Currently this returns an error, as the first two brackets ({{
) open the secret tag and so the third bracket is invalid, as a bracket is not an allowed character in a secret path. To get the {secret value}
output, you'd have to use \{{{ path/to/secret }}}
.
Hi, I think that the deployment process of the @secrethub/cli npm-package may has a bug:
$ npx @secrethub/cli
npx: command not found: cli
Up until now, I used yarn1 and downloaded @secrethub/cli to the project. I couldn't run it like: yarn secrethub
because of the bug above, so as a workaround, I specified the full path from the node_modules: yarn node_modules/.bin/secrethub
. All good.
After moving to yarn2 as a package-manager, I don't have node_modules anymore, so I must do one of the following:
yarn secrethub
- throw an error. it maybe related to the error above with npx.yarn dlx @secrethub/cli
- same error as npx.npx @secrethub/cli
- as you saw above.Workaround: is to install secrethub from other package-manager: apk/apt-get
More info:
This is the package.json of @secrethub/cli (which I couldn't find in your organization. I found it in the node_modules when using yarn1)
{
"name": "@secrethub/cli",
"scripts": {
"preinstall": "node install.js"
},
"bin": {
"secrethub": "./bin/secrethub" <<<<<<<<<----
},
"author": "SecretHub <[email protected]> (https://secrethub.io)",
"homepage": "https://secrethub.io",
"repository": "github:secrethub/secrethub-cli",
"description": "A secrets management platform that every engineer can use with minimal code changes.",
"keywords": [
"secrets management",
"devops",
"devsecops",
"end-to-end encryption"
],
"dependencies": {
"axios": "^0.19.2",
"tar": "^6.0.2",
"unzipper": "^0.10.11"
},
"devDependencies": {},
"license": "Apache-2.0",
"version": "0.41.2"
}
Something maybe wrong in ./bin/secrethub
.
I'm using Termux for a handheld development environment on an Android phone and trying to install SecretHub via NPM failed with this message:
No SecretHub binary found for OS 'android'.
I've been sing secrethub for a while now and keep intermittently coming across these issues and have never found the source nor managed to fix them, resorting to copy and pasting manually as a workaround.
When I use the secrethub write -c
I get the following error:
Encountered an error: cannot read from clipboard: No clipboard utilities available. Please install xsel, xclip, wl-clipboard or Termux:API add-on for termux-clipboard-get/set. (clipboard.cannot_read)
I actually have both xsel
and xclip
installed. I've tried uninstalling one to see if it was a conflict of sorts, but received the same error.
When I use the secrethub write -i
I get the following error:
Encountered an error: could not read the input file <file name here>: open <file name here>: permission denied (secrethub.in_file_read_error)
I've tried setting 777 permissions on the file in question and I still get this issue.
This is happening on Ubuntu 20.04.1 LTS, using the secrethub-cli
snap.
secrethub --version
gives: secrethub version 0.34.0, build 549b444
I've done a lot of googling and have been unable to find anything online or in the SecretHub docmentation. I hope we can get to the bottom of this, as it's a real pain having to copy and paste manually at the moment.
EDIT:
I've discovered that this ONLY occurs on the snap version. The same commands using the secrethub-cli
downloaded from APT worked first time.
I am unable to perform the migration as OP_SESSION
variable is always empty
$ eval $(op signin)
$ secrethub migrate plan ###
Encountered an error: OP_SESSION environment variable not found, run `eval $(op signin)` to set one
cli versions:
$ secrethub -v
secrethub version 0.44.0, build d29a942
$ op -v
2.7.1
Currently, the secrethub migrate
commands require 1Password CLI version 1 to be installed. Now that 1Password CLI 2.0 is in Early Access, the migration commands should support both versions, so that you can install the 1Password v2 beta CLI and use that for the migration from SecretHub to 1Password.
Hello :)
Not sure if it's the right place to put this issue (or if it's on your end).
Since Friday 18 February, we have issue using Secrethub in our CI (github actions). This is due to an error when using the script from https://apt.secrethub.io/ (which is the script given in the doc https://secrethub.io/docs/reference/cli/install/).
The error is "File has unexpected size (402 != 400). Mirror sync in progress?"
Therefore I am not sure if we just need to wait a couple more days for the mirror to sync (but it seems a long time to me)
Waiting for your answer :)
(and sorry again if it's not the right place ;) )
Create a new docker using ubuntu latest and run a bash terminal.
docker run -i -t ubuntu:latest /bin/bash
Then in the bash, follow the instructions stated in https://apt.secrethub.io/
apt-get update && apt-get install -y curl gnupg2
curl -fsSL https://apt.secrethub.io/pub | apt-key add -
echo "deb https://apt.secrethub.io stable main" > /etc/apt/sources.list.d/secrethub.sources.list && apt-get update
apt-get install -y secrethub-cli
You should see an error during the apt-get update of the 3rd line.
root@d2fd2cbabb36:/# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Get:3 https://apt.secrethub.io stable InRelease [2679 B]
Hit:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:5 http://security.ubuntu.com/ubuntu focal-security InRelease
Get:6 https://apt.secrethub.io stable/main amd64 Packages [400 B]
Err:6 https://apt.secrethub.io stable/main amd64 Packages
File has unexpected size (402 != 400). Mirror sync in progress? [IP: 13.32.145.117 443]
Hashes of expected file:
- Filesize:400 [weak]
- SHA256:f7c0d9e046bae66ed02bada097ca5036756bc0cb8faab1ba875fc7aed1e04be8
- SHA1:6e13648d9fb5d9c39b86d9095edc3e428e66c6de [weak]
- MD5Sum:06a2e516db468ac83df0d52b4aae352b [weak]
Release file created at: Thu, 26 Aug 2021 18:55:48 +0000
Fetched 2679 B in 1s (2821 B/s)
Reading package lists... Done
E: Failed to fetch https://apt.secrethub.io/dists/stable/main/binary-amd64/Packages.gz File has unexpected size (402 != 400). Mirror sync in progress? [IP: 13.32.145.117 443]
Hashes of expected file:
- Filesize:400 [weak]
- SHA256:f7c0d9e046bae66ed02bada097ca5036756bc0cb8faab1ba875fc7aed1e04be8
- SHA1:6e13648d9fb5d9c39b86d9095edc3e428e66c6de [weak]
- MD5Sum:06a2e516db468ac83df0d52b4aae352b [weak]
Release file created at: Thu, 26 Aug 2021 18:55:48 +0000
E: Some index files failed to download. They have been ignored, or old ones used instead.
Would be nice if the run
command would not look for the credential if the .env
file doesn't specify any secrets. If they're not there, then why bother looking for the credential?
To still be able to validate the credential (existence) upfront, a command secrethub validate-credential
could be added.
When I use a custom config directory, I get the error message:
Encountered an error: could not find credential file. Run `secrethub signup` to create an account.
However, when I specify the credential file directly from the config directory, it seems to work.
# secrethub --version
secrethub version 0.34.0, build 549b444
# echo $SECRETHUB_CONFIG_DIR
/user/config/.secrethub
# secrethub read example/secret
Encountered an error: could not find credential file. Run `secrethub signup` to create an account.
# secrethub --config-dir='/user/config/.secrethub' read example/secret
Encountered an error: could not find credential file. Run `secrethub signup` to create an account.
# secrethub --credential=`cat $SECRETHUB_CONFIG_DIR/credential` read example/secret
success
secrethub
should respect the config directory settings, and find/read the credential
file in the config directory.
I tried looking in https://github.com/secrethub/secrethub-go/blob/4b34720c13328528a5db7fc1c588b8e4c2b6b451/pkg/secrethub/configdir/dir.go#L36-L58, and it seems like it should do the expected thing -- so I'm super stumped.
I've also made sure it isn't a UNIX permission issue with the credential
file, since I used root to perform the reproduction steps.
Hey there, so I have been reading the documentation and I havent found a way to dump a list of variables already set in my .env file as childs of a secrets directory in my account. There is an option called -i but this dumps a full .env file in one child, but I am talking about adding each variable of the file as child in the tree, either considering some tree structure from the var names (it would be the reverse implementation of the proposal in #286) or just add each var as direct child. It could be added as a --dump option in the write command:
secrethub write -d/--dump path/to/env/file path/to/secrethub/dir
// .env file
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
DB_USERNAME
DB_PASSWORD
would map to
org/repo/my-app/
aws/
access_key_id
secret_access_key
db/
username
password
What do you think?
When the subcommand of run
writes to both stdout
and stderr
and secret masking is enabled, the output of stdout and stderr is mixed, resulting in potentially unreadable output.
When wrapping this example in secrethub run
the output can be any of these:
123
213
132
When the subcommand writes to both stdout
and stderr
, the order in which is written to the two of these is preserved.
When wrapping this example in secrethub run
the output is always 123
.
Currently, a secrethub.env
file has to be created to easily map multiple secrets to environment variables when using secrethub run
.
However, in many cases the names of secrets already describe the names of the environment variables they should be mounted to. By adding the --secrets-dir path/to/dir
flag, you could easily map load all secrets to the environment.
The mapping could follow a default set of rules, e.g. replace dirs (/
) with _
etc. This could drastically decrease the setup time needed, as no templates need to be written.
This tree:
org/repo/my-app/
aws/
access_key_id
secret_access_key
db/
username
password
Would map to:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
DB_USERNAME
DB_PASSWORD
by running:
secrethub run --secrets-dir=org/repo/my-app/ -- node app.js
I'm seeing this now, your call to pick it up or not, but why are we printing out generating...writing...write complete
? If we want to print anything out, would generating... generate complete
be sufficient?
Originally posted by @mackenbach in https://github.com/_render_node/MDIzOlB1bGxSZXF1ZXN0UmV2aWV3VGhyZWFkMjAxMTMxMzgxOnYy/pull_request_review_threads/discussion
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.