google_cloud_env_secrets 0.1.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +14 -5
- data/lib/google_cloud_env_secrets/config.rb +16 -0
- data/lib/google_cloud_env_secrets/railtie.rb +23 -8
- data/lib/google_cloud_env_secrets/secrets.rb +26 -6
- data/lib/google_cloud_env_secrets/version.rb +1 -1
- data/lib/tasks/google_cloud_env_secrets_tasks.rake +6 -2
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0f6fb0a3005e03c0be10f2e423f049ec2c103f44696f43eb47f62bdfc5d4a109
|
4
|
+
data.tar.gz: c2111c2c4a8819321a1875c46651a16d847b1f6fb9e20d6ea821ae136571a38c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4a1a64482d17981bc421768820d5b07b40a5c6dd0a64c93b80f01bed0ae61b425a7938a2faf1b961b4401e25840d286dbd84ec191cb158d30a1902043a2b5722
|
7
|
+
data.tar.gz: 44d02eb848d40f9314d4d7fa4a16c2f57e1aa020b130d6843810b74245b11d5d96c6b2cc8c13651fd51b701c49068994ffc008a21b81dab6242c07733265853d
|
data/README.md
CHANGED
@@ -23,12 +23,20 @@ $ gem install google_cloud_env_secrets
|
|
23
23
|
|
24
24
|
Configure this gem with environment vars:
|
25
25
|
|
26
|
-
| Variable
|
27
|
-
|
28
|
-
| `GOOGLE_APPLICATION_CREDENTIALS`
|
29
|
-
| `GOOGLE_PROJECT`
|
30
|
-
| `GOOGLE_SECRETS_PREFIX`
|
26
|
+
| Variable | Description |
|
27
|
+
|---------------------------------------|--------------------------------------------------------------------|
|
28
|
+
| `GOOGLE_APPLICATION_CREDENTIALS` | Google Application Credentials, path or data (not base64 encoded). |
|
29
|
+
| `GOOGLE_PROJECT` | Google project |
|
30
|
+
| `GOOGLE_SECRETS_PREFIX` | Only load secrets that start with given prefix. |
|
31
|
+
| `GOOGLE_SECRETS_OVERLOAD` | Replace existing ENV vars with secret's value. Default `true`. |
|
31
32
|
|
33
|
+
The `GOOGLE_APPLICATION_CREDENTIALS` and `GOOGLE_PROJECT` variables are both optional. If not given,
|
34
|
+
we will detect them automatically, if run on Google Cloud.
|
35
|
+
|
36
|
+
Google Secrets are available after the [before_configuration hook](https://guides.rubyonrails.org/configuring.html#initialization-events).
|
37
|
+
You can call `GoogleCloudEnvSecrets.load` if you need the ENV secrets sooner than that.
|
38
|
+
|
39
|
+
See [docs](https://www.rubydoc.info/github/mattes/rails_google_cloud_env_secrets/main), too.
|
32
40
|
|
33
41
|
## Required IAM Roles
|
34
42
|
|
@@ -36,3 +44,4 @@ Configure this gem with environment vars:
|
|
36
44
|
Secret Manager Secret Accessor
|
37
45
|
Secret Manager Viewer
|
38
46
|
```
|
47
|
+
|
@@ -1,12 +1,16 @@
|
|
1
|
+
require "json"
|
2
|
+
|
1
3
|
module GoogleCloudEnvSecrets
|
2
4
|
class Configuration
|
3
5
|
attr_accessor :project
|
4
6
|
attr_accessor :credentials
|
5
7
|
attr_accessor :cache_secrets
|
6
8
|
attr_accessor :prefix
|
9
|
+
attr_accessor :overload
|
7
10
|
|
8
11
|
def initialize
|
9
12
|
@cache_secrets = true
|
13
|
+
@overload = true
|
10
14
|
end
|
11
15
|
end
|
12
16
|
|
@@ -18,4 +22,16 @@ module GoogleCloudEnvSecrets
|
|
18
22
|
self.configuration ||= Configuration.new
|
19
23
|
yield(configuration)
|
20
24
|
end
|
25
|
+
|
26
|
+
def self.parse_project_from_credentials(credentials)
|
27
|
+
if File.exist?(credentials)
|
28
|
+
j = JSON.parse(File.read(credentials))
|
29
|
+
return j["project_id"]
|
30
|
+
else
|
31
|
+
j = JSON.parse(credentials)
|
32
|
+
return j["project_id"]
|
33
|
+
end
|
34
|
+
rescue
|
35
|
+
nil
|
36
|
+
end
|
21
37
|
end
|
@@ -1,14 +1,29 @@
|
|
1
1
|
module GoogleCloudEnvSecrets
|
2
2
|
class Railtie < ::Rails::Railtie
|
3
|
-
initializer "google_cloud_env_secrets.initialize", after: :bootstrap_hook do |app|
|
4
|
-
GoogleCloudEnvSecrets.configure do |config|
|
5
|
-
config.credentials = ENV["GOOGLE_APPLICATION_CREDENTIALS"] || nil
|
6
|
-
config.project = ENV["GOOGLE_PROJECT"] || Google::Cloud.env.project_id
|
7
|
-
config.prefix = ENV["GOOGLE_SECRETS_PREFIX"] || nil
|
8
|
-
end
|
9
3
|
|
10
|
-
|
11
|
-
|
4
|
+
# load Google Secrets during Rails `before_configuration` hook
|
5
|
+
config.before_configuration do
|
6
|
+
GoogleCloudEnvSecrets.load
|
7
|
+
end
|
8
|
+
|
9
|
+
rake_tasks do
|
10
|
+
load "tasks/google_cloud_env_secrets_tasks.rake"
|
12
11
|
end
|
13
12
|
end
|
13
|
+
|
14
|
+
# load Google Secrets into ENV
|
15
|
+
def self.load
|
16
|
+
GoogleCloudEnvSecrets.configure do |config|
|
17
|
+
config.credentials = ENV["GOOGLE_APPLICATION_CREDENTIALS"] || nil
|
18
|
+
config.project = ENV["GOOGLE_PROJECT"] || GoogleCloudEnvSecrets.parse_project_from_credentials(config.credentials) || Google::Cloud.env.project_id
|
19
|
+
config.prefix = ENV["GOOGLE_SECRETS_PREFIX"] || nil
|
20
|
+
|
21
|
+
if ENV.has_key?("GOOGLE_SECRETS_OVERLOAD")
|
22
|
+
config.overload = ENV["GOOGLE_SECRETS_OVERLOAD"]&.to_s&.downcase == "true"
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
secrets = GoogleCloudEnvSecrets.all
|
27
|
+
GoogleCloudEnvSecrets.inject_env!(secrets, GoogleCloudEnvSecrets.configuration.overload)
|
28
|
+
end
|
14
29
|
end
|
@@ -2,10 +2,21 @@ module GoogleCloudEnvSecrets
|
|
2
2
|
def self.all
|
3
3
|
@secrets = nil unless self.configuration.cache_secrets
|
4
4
|
@secrets ||= begin
|
5
|
+
# Skip if not running on Google Cloud and credentials are not set explicitly
|
6
|
+
if self.configuration.credentials.nil? && Google::Cloud.env.project_id.nil?
|
7
|
+
return {}
|
8
|
+
end
|
9
|
+
|
5
10
|
# Configure and initialize
|
6
11
|
# https://googleapis.dev/ruby/google-cloud-secret_manager/latest/Google/Cloud/SecretManager.html
|
7
12
|
Google::Cloud::SecretManager.configure do |config|
|
8
|
-
|
13
|
+
if self.configuration.credentials
|
14
|
+
if File.exist?(self.configuration.credentials)
|
15
|
+
config.credentials = self.configuration.credentials # load by file
|
16
|
+
else
|
17
|
+
config.credentials = JSON.parse(self.configuration.credentials) # load data
|
18
|
+
end
|
19
|
+
end
|
9
20
|
end
|
10
21
|
|
11
22
|
client = Google::Cloud::SecretManager.secret_manager_service
|
@@ -38,17 +49,26 @@ module GoogleCloudEnvSecrets
|
|
38
49
|
|
39
50
|
secrets
|
40
51
|
end
|
41
|
-
|
52
|
+
|
53
|
+
@secrets || {}
|
42
54
|
end
|
43
55
|
|
44
56
|
def self.find(name)
|
45
|
-
self.all
|
46
|
-
|
57
|
+
self.all[name.to_s]
|
58
|
+
end
|
59
|
+
|
60
|
+
def self.exist?(name)
|
61
|
+
self.all.has_key?(name.to_s)
|
47
62
|
end
|
48
63
|
|
49
|
-
def self.inject_env!(secrets = {})
|
64
|
+
def self.inject_env!(secrets = {}, overload = true, env = ENV)
|
50
65
|
secrets.each do |name, value|
|
51
|
-
|
66
|
+
name = name.to_s
|
67
|
+
if overload
|
68
|
+
env[name] = value
|
69
|
+
else
|
70
|
+
env[name] ||= value
|
71
|
+
end
|
52
72
|
end
|
53
73
|
end
|
54
74
|
end
|
@@ -1,5 +1,9 @@
|
|
1
1
|
desc "Fetch Google Cloud Secret"
|
2
2
|
task :google_cloud_secret do
|
3
|
-
name =
|
4
|
-
|
3
|
+
name = ENV["NAME"].strip
|
4
|
+
|
5
|
+
fail "#{name} not found" unless GoogleCloudEnvSecrets.exist?(name)
|
6
|
+
|
7
|
+
$stdout.sync = true
|
8
|
+
print GoogleCloudEnvSecrets.find(name)
|
5
9
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: google_cloud_env_secrets
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 1.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Matthias Kadenbach
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-10-
|
11
|
+
date: 2020-10-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|